Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Massachusetts Institute of Technology, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum MaxPlanck Institute of Computer Science, Saarbruecken, Germany
5527
Maria BrasAmorós Tom Høholdt (Eds.)
Applied Algebra, AlgebraicAlgorithms, and ErrorCorrecting Codes 18th International Symposium, AAECC18 Tarragona, Spain, June 812, 2009 Proceedings
13
Volume Editors Maria BrasAmorós Universitat Rovira i Virgili Departament d’Enginyeria Informàtica i Matemàtiques Avinguda Països Catalans, 26, 43007 Tarragona, Catalonia, Spain, Email:
[email protected] Tom Høholdt The Technical University of Denmark Department of Mathematics Building 303, 2800 Lyngby, Denmark, Email:
[email protected]
Library of Congress Control Number: Applied for CR Subject Classification (1998): E.4, I.1, E.3, G.2, F.2 LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues ISSN ISBN10 ISBN13
03029743 3642021808 Springer Berlin Heidelberg New York 9783642021800 Springer Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © SpringerVerlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Cameraready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acidfree paper SPIN: 12690084 06/3180 543210
Preface
The AAECC symposia series was started in 1983 by Alain Poli (Toulouse), who, together with R. Desq, D. Lazard and P. Camion, organized the ﬁrst conference. Originally the acronym AAECC stood for “Applied Algebra and ErrorCorrecting Codes.” Over the years its meaning has shifted to “Applied Algebra, Algebraic Algorithms and ErrorCorrecting Codes,” reﬂecting the growing importance of complexity, particularly for decoding algorithms. During the AAECC12 symposium the Conference Committee decided to enforce the theory and practice of the coding side as well as the cryptographic aspects. Algebra was conserved, as in the past, but slightly more oriented to algebraic geometry codes, ﬁnite ﬁelds, complexity, polynomials, and graphs. The main topics for AAECC18 were algebra, algebraic computation, codes and algebra, codes and combinatorics, modulation and codes, sequences, and cryptography. The invited speakers of this edition were Iwan Duursma, Henning Stichtenoth, and Fernando Torres. We would like to express our deep regret for the loss of Professor Ralf K¨ otter, who recently passed away and could not be our fourth invited speaker. Except for AAECC1 (Discrete Mathematics 56, 1985) and AAECC7 (Discrete Applied Mathematics 33, 1991), the proceedings of all the symposia have been published in Springer’s Lecture Notes in Computer Science (Vols. 228, 229, 307, 356, 357, 508, 539, 673, 948, 1255, 1719, 2227, 2643, 3857, 4851). It is a policy of AAECC to maintain a high scientiﬁc standard, comparable to that of a journal. This was made possible thanks to the many referees involved. Each submitted paper was evaluated by at least two international researchers. AAECC18 received and refereed 50 submissions. Of these, 22 were selected for publication in these proceedings as regular papers and 7 were selected as extended abstracts. The symposium was organized by Maria BrasAmor´os and Tom Høholdt, with the help of Jes´ us Manj´ on, Gl` oria Pujol, Jordi Castell` a, Antoni Mart´ınez, and Xavier Fern´ andez under the umbrella of the CRISES group for Cryptography and Statistical Secrecy, at the Universitat Rovira i Virgili, led by Josep DomingoFerrer. It was sponsored by the Catalan Government, the UNESCO Chair in Data Privacy located at Universitat Rovira i Virgili, and the Spanish Network on Mathematics of Information Society. We would like to dedicate these proceedings to the memory of our colleague Ralf K¨ otter. June 2009
Maria BrasAmor´ os Tom Høholdt
Applied Algebra, Algebraic Algorithms, and Error Correcting Codes  AAECC18
General Chair Maria BrasAmor´ os
Universitat Rovira i Virgili, Catalonia, Spain
Cochair Tom Høholdt
Technical University of Denmark
Program Committee Jacques Calmet Claude Carlet Gerard D. Cohen Cunsheng Ding GuiLiang Feng Marc Giusti Guang Gong Joos Heintz Kathy Horadam Hideki Imai Navin Kashyap Shu Lin Oscar Moreno Wai Ho Mow Harald Niederreiter Michael E. O’Sullivan Ferruh Ozbudak Udaya Parampalli Alain Poli S. Sandeep Pradhan Asha Rao Shojiro Sakata HongYeop Song Chaoping Xing
University of Karlsruhe, Germany University of Paris 8, France Ecole Nationale Sup´erieure des T´el´ecommunications, France Hong Kong University of Science and Technology, China University of Southwestern Louisiana, USA Ecole Polytechnique, France University of Waterloo, Canada University of Buenos Aires, Argentina and University of Cantabria, Spain RMIT University, Australia University of Tokyo, Japan Queen’s University, Canada University of California, USA University of Puerto Rico Southwest Jiaotong University, China National University of Singapore San Diego State University, USA Middle East Technical University, Turkey University of Melbourne, Australia University P. Sabatier, France University of Michigan at Ann Arbor, USA Royal Melbourne Institute of Technology, Australia Technical University of Denmark Yonsei University, Korea Nanyang Technological University, Singapore
VIII
Organization
Organizing Committee Jes´ us Manj´ on Universitat Gl` oria Pujol Universitat Jordi Castell` aRoca Universitat Antoni Mart´ınezBallest´e Universitat Xavier Fern´ andez Universitat
Rovira Rovira Rovira Rovira Rovira
i i i i i
Virgili, Virgili, Virgili, Virgili, Virgili,
Catalonia, Catalonia, Catalonia, Catalonia, Catalonia,
Spain Spain Spain Spain Spain
Table of Contents
Codes The Order Bound for Toric Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Peter Beelen and Diego Ruano
1
An Extension of the Order Bound for AG Codes . . . . . . . . . . . . . . . . . . . . . Iwan Duursma and Radoslav Kirov
11
Sparse Numerical Semigroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C. Munuera, F. Torres, and J. Villanueva
23
From the Euclidean Algorithm for Solving a Key Equation for Dual Reed–Solomon Codes to the BerlekampMassey Algorithm . . . . . . . . . . . . Maria BrasAmor´ os and Michael E. O’Sullivan Rank for Some Families of Quaternary ReedMuller Codes . . . . . . . . . . . . Jaume Pernas, Jaume Pujol, and Merc`e Villanueva Optimal Bipartite Ramanujan Graphs from Balanced Incomplete Block Designs: Their Characterizations and Applications to Expander/LDPC Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tom Høholdt and Heeralal Janwal Simulation of the SumProduct Algorithm Using Stratiﬁed Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . John Brevik, Michael E. O’Sullivan, Anya Umlauf, and Rich Wolski A Systems Theory Approach to Periodically TimeVarying Convolutional Codes by Means of Their Invariant Equivalent . . . . . . . . . . JoanJosep Climent, Victoria Herranz, Carmen Perea, and Virtudes Tom´ as
32 43
53
65
73
On Elliptic Convolutional Goppa Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jos´e Ignacio Iglesias Curto
83
The Minimum Hamming Distance of Cyclic Codes of Length 2ps . . . . . . . ¨ ¨ Hakan Ozadam and Ferruh Ozbudak
92
There Are Not Nonobvious Cyclic Aﬃneinvariant Codes . . . . . . . . . . . . . ´ Jos´e Joaqu´ın Bernal, Angel del R´ıo, and Juan Jacobo Sim´ on
101
On Selfdual Codes over Z16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kiyoshi Nagata, Fidel Nemenzo, and Hideo Wada
107
X
Table of Contents
Cryptography A Nonabelian Group Based on Block Upper Triangular Matrices with Cryptographic Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ´ Rafael Alvarez, Leandro Tortosa, Jos´e Vicent, and Antonio Zamora Word Oriented Cascade Jump σ−LFSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . Guang Zeng, Yang Yang, Wenbao Han, and Shuqin Fan On Some Sequences of the Secret Pseudorandom Index j in RC4 Key Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Riddhipratim Basu, Subhamoy Maitra, Goutam Paul, and Tanmoy Talukdar
117 127
137
VeryEﬃcient Anonymous PasswordAuthenticated Key Exchange and Its Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SeongHan Shin, Kazukuni Kobara, and Hideki Imai
149
Eﬃcient Constructions of Deterministic Encryption from Hybrid Encryption and CodeBased PKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yang Cui, Kirill Morozov, Kazukuni Kobara, and Hideki Imai
159
Algebra Noisy Interpolation of Multivariate Sparse Polynomials in Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ´ Alvar Ibeas and Arne Winterhof
169
New Commutative Semiﬁelds and Their Nuclei . . . . . . . . . . . . . . . . . . . . . . J¨ urgen Bierbrauer
179
Spreads in Projective Hjelmslev Geometries . . . . . . . . . . . . . . . . . . . . . . . . . Ivan Landjev
186
On the Distribution of Nonlinear Congruential Pseudorandom Numbers of Higher Orders in Residue Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Edwin D. ElMahassni and Domingo Gomez Rooted Trees Searching for Cocyclic Hadamard Matrices over D4t . . . . . . ´ ´ V´ıctor Alvarez, Jos´e Andr´ es Armario, Mar´ıa Dolores Frau, F´elix Gudiel, and Amparo Osuna
195 204
Extended Abstracts Interesting Examples on Maximal Irreducible Goppa Codes . . . . . . . . . . . Marta Giorgetti
215
Repeated Root Cyclic and Negacyclic Codes over Galois Rings . . . . . . . . . Sergio R. L´ opezPermouth and Steve Szabo
219
Table of Contents
XI
Construction of Additive ReedMuller Codes . . . . . . . . . . . . . . . . . . . . . . . . J. Pujol, J. Rif` a, and L. Ronquillo
223
Gr¨ obner Representations of Binary Matroids . . . . . . . . . . . . . . . . . . . . . . . . M. BorgesQuintana, M.A. BorgesTrenard, and E. Mart´ınezMoro
227
A Generalization of the ZigZag Graph Product by Means of the Sandwich Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . David M. Monarres and Michael E. O’Sullivan
231
Novel Eﬃcient Certiﬁcateless Aggregate Signatures . . . . . . . . . . . . . . . . . . . Lei Zhang, Bo Qin, Qianhong Wu, and Futai Zhang
235
Bounds on the Number of Users for Random 2Secure Codes . . . . . . . . . . Manabu Hagiwara, Takahiro Yoshida, and Hideki Imai
239
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
243
The Order Bound for Toric Codes Peter Beelen and Diego Ruano DTUMathematics, Technical University of Denmark, Matematiktorvet, Building 303, 2800 Kgs. Lyngby, Denmark {P.Beelen,D.Ruano}@mat.dtu.dk
Abstract. In this paper we investigate the minimum distance of generalized toric codes using an order bound like approach. We apply this technique to a family of codes that includes the Joyner code. For some codes in this family we are able to determine the exact minimum distance.
1
Introduction
In 1998 J.P. Hansen considered algebraic geometry codes deﬁned over toric surfaces [7]. Thanks to combinatorial techniques of such varieties he was able to estimate the parameters of the resulting codes. For example, the minimum distance was estimated using intersection theory. Toric geometry studies varieties which contain an algebraic torus as a dense subset and where moreover the torus acts on the variety. The importance of such varieties, called toric varieties, resides in their correspondence with combinatorial objects, which makes the techniques to study the varieties (such as cohomology, intersection theory, resolution of singularities, etc) more precise and at the same time tractable [3,6]. The order bound gives a way to obtain a lower bound for the minimum distance of linear codes [1,4,5,9]. Especially for codes from algebraic curves this technique has been very successful. In this article we will develop a similar bound for toric codes. Actually our bound also works for the more general class of generalized toric codes (see Section 2). This will give a new way of estimating the minimum distance of toric codes that in some examples give a better bound than intersection theory. Another advantage is that known algorithms [4,5] can be used to decode the codes up to half the order bound. As an example we will compute the order bound for a family of codes that includes the Joyner codes [11]. For this reason we call these codes generalized Joyner codes. Also we will compute the exact minimum distance for several generalized Joyner codes. It turns out that a combination of previously known techniques and the order bound gives a good estimate of the minimum distance of generalized Joyner codes. The paper is organized as follows. In Section 2 we will give an introduction to toric codes and generalized toric codes, while in Section 3 the order bound for
The work of D. Ruano is supported in part by DTU, H.C. Oersted post doc. grant (Denmark) and by MEC MTM200764704 and Junta de CyL VA065A07 (Spain).
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 1–10, 2009. c SpringerVerlag Berlin Heidelberg 2009
2
P. Beelen and D. Ruano
these codes will be established. The last section of the paper will illustrate the theory by applying the results to generalized Joyner codes.
2
Toric Codes and Generalized Toric Codes
Algebraic geometry codes [9,19] are usually deﬁned evaluating algebraic functions over a nonsingular projective variety X deﬁned over a ﬁnite ﬁeld. The functions of L(D) are evaluated at certain rational points of the curve (P = {P1 , . . . , Pn }), where D is a divisor whose support does not contain any of the evaluation points. The zeros and poles of the functions of L(D) are bounded by D. More precisely, the algebraic geometry code C(X, D, P) is the image of the linear map: ev : L(D) → Fnq f → (f (P1 ), . . . , f (Pn )) In this section we introduce toric codes, that is, algebraic geometry codes over toric varieties. One can deﬁne a toric variety and a Cartier divisor using a convex polytope, namely, a convex polytope is the same datum as a toric variety and Cartier divisor. Let M be a lattice isomorphic to Zr for some r ∈ Z and MR = M ⊗ R. Let P be an rdimensional rational convex polytope in MR and let us consider XP and DP the toric variety and the Cartier divisor deﬁned by P [15]. We may assume that XP is non singular, in other case we reﬁne the fan [6, Section 2.6]. Let L(DP ) be the Fq vector space of functions f over XP such that div(f ) + DP 0. The toric code C(P ) associated to P is the image of the linear evaluation map ev : L(DP ) → Fnq f → (f (t))t∈T where the set of points P = T is the algebric torus T = (F∗q )r . Since we evaluate at #T points, C(P ) has length n = (q − 1)r . One has that L(DP ) is the Fq vector space generated by the monomials with exponents in P ∩ M L(DP ) = {X u = X1u1 · · · Xrur  u ∈ P ∩ M } ⊂ Fq [X1 , . . . , Xr ] The minimum distance of a toric code C(P ) may be estimated using intersection theory [8,15]. Also, it can be estimated using a multivariate generalization of Vandermonde determinants on the generator matrix [13]. For plane polytopes, r = 2, one can estimate the minimum distance using the HasseWeil bound and combinatorial invariants of the polytope (the Minkowsky sum [12] and the Minkowsky length [17]). An extension of toric codes are the socalled generalized toric codes [16]. The generalized toric code C(U ) is the image of the Fq linear map ev : Fq [U ] → Fnq f → (f (t))t∈T where U ⊂ H = {0, . . . , q − 2}r and Fq [U ] is the Fq vector space
The Order Bound for Toric Codes
3
Fq [U ] = X u = X1u1 · · · Xrur  u = (u1 , . . . , ur ) ∈ U ⊂ Fq [X1 , . . . , Xr ]. Let u be u mod ((q−1)Z)r , that is u = (u1 mod (q−1), . . . , ur mod (q−1)), for u ∈ Zr , and U = {u  u ∈ U }. The dimension of the code C(U ) is k = #U = #U , since the evaluation map ev is injective. By [16, Theorem 6], one has that the dual code of C(U ) is C(U ⊥ ), where ⊥ U = H \ −U, with −U = {−u  u ∈ U }. Namely, we have 0 if u + u = 0 u u ev(X ) · ev(X ) = (1) r (−1) if u + u = 0 for u, u ∈ H, where · denotes the inner product in Fnq . The family of generalized toric codes includes the ones obtained evaluating polynomials of an arbitrary subalgebra of Fq [X1 , . . . , Xr ] at T , in particular toric codes. However, there is no estimate so far for the minimum distance in this more general setting, the order bound techniques in this paper will apply to generalized toric codes as well. From now on we will consider generalized toric codes but for the sake of simplicity, we will just call them toric codes.
3
The Order Bound for Toric Codes
In this section we follow the order bound approach to estimate the minimum distance of the dual code of a toric code C(U ), for U ⊂ H. Let B1 = {g1 , . . . , gn } and B2 = {h1 , . . . , hn } be two bases of Fq [H]. For c = ev(f ) ∈ C(U ), we consider the syndrome matrix S(c) = (si,j )1≤i,j≤n , with si,j = (ev(gi ) ∗ ev(hj )) · ev(f ) = ev(gi hj ) · ev(f ), where ∗ denotes the componentwise product. In other words, S(c) = M1 D(c)M2t , where D is the diagonal matrix with c in the diagonal and M1 and M2 are the evaluation matrices given by ⎞ ⎞ ⎛ ⎛ g1 (t1 ) g1 (t2 ) · · · g1 (tn ) h1 (t1 ) h1 (t2 ) · · · h1 (tn ) ⎜ g2 (t1 ) g2 (t2 ) · · · g2 (tn ) ⎟ ⎜ h2 (t1 ) h2 (t2 ) · · · h2 (tn ) ⎟ ⎟ ⎟ ⎜ ⎜ , M M1 = ⎜ . = ⎟ ⎜ .. .. .. .. .. .. .. ⎟ . 2 ⎠ ⎝ .. ⎝ . . . . . . . ⎠ gn (t1 ) gn (t2 ) · · · gn (tn )
hn (t1 ) hn (t2 ) · · · hn (tn )
Here t1 , . . . , tn denote the points of the algebraic torus. Note that M1 and M2 have full rank, since the evaluation map is injective. This implies that the rank of S(c) equals wt(c). It is convenient to consider bases of Fq [H] consisting of monomials, that is, we set gi = X vi and hi = X wi , for i = 1, . . . , n, with {v1 , . . . , vn } = {w1 , . . . , wn } = H. Then, we can easily compute the syndrome matrix for a codeword using the following lemma. u and S(ev(f )) = (si,j )1≤i,j≤n the syndrome Lemma 1. Let f = u∈H λu X matrix of ev(f ). Then, one has that si,j = (−1)r λ−(vi +wj ) . In particular, si,j is equal to zero if and only if vi + wj ∈ / −supp(f ), where supp(f ) denotes the support of f , supp(f ) = {u ∈ H  λu = 0}.
4
P. Beelen and D. Ruano
Proof. By deﬁnition, si,j = ev(X vi +wj ) · ev( = (−1)r λ−(vi +wj )
λu X u ) =
u∈H
ev(X vi +wj ) · ev(λu X u )
u∈H
(by (1)).
Therefore, si,j is equal to zero if and only if −(vi + wj ) is not in the support of f . Equivalently, si,j = 0 if and only if vi + wj ∈ / −supp(f ).
To bound the minimum distance using order domain theory, we should give a lower bound for the rank of the syndrome matrix. Since the order bound gives an estimate for the minimum distance of the dual code, we begin by considering C(U )⊥ = C(U ⊥ ) to get a bound for the minimum distance of C(U ). Let H = {u1 , . . . , un }, with U ⊥ = {u1 , . . . , un−k } ⊂ H, notice that U = {−un−k+1 , . . . , −un }. We are dealing with an arbitrary order on H, we only require, for the sake of simplicity, that the ﬁrst n − k elements of H are the elements of U ⊥ . For l ∈ {0, . . . , k − 1}, we consider the following ﬁltration of codes depending on the previous ordering C C1 C2 · · · Cl Cl+1 , where C = C(U ⊥ ) and Cm = C(U ⊥ ∪ {un−k+1 , . . . , un−k+m }), for m = 1, . . . , l + 1, and their dual codes, ⊥ C ⊥ C1⊥ C2⊥ · · · Cl⊥ Cl+1 , ⊥ with C ⊥ = C(U ) and Cm = C(U \ {−un−k+1 , . . . , −un−k+m }), for m = 1, . . . , l + ⊥ 1, since (U ∪ {un−k+1 , . . . , un−k+m })⊥ = U \ {−un−k+1 , . . . , −un−k+m }. ⊥ We wish to bound the weight of c ∈ Cl⊥ \ Cl+1 . Let νl be the largest integer (in {1, . . . , n}) such that
• vi + wi = un−k+l+1 , for i = 1, . . . , νl . • vi + wj ∈ U ⊥ ∪ {un−k+1 , . . . , un−k+l }, for i = 1, . . . , νl and j < i. ⊥ Proposition 1. Let c ∈ Cl⊥ \ Cl+1 , then wt(c) ≥ νl . Proof. Let c = ev(f ), then f = λu X u , where u ∈ U \ {−un−k+1 ,. . . ,−un−k+l }. ⊥ Notice that λ−un−k+l+1 = 0, since c ∈ / Cl+1 . Hence we have by Lemma 1 that,
• si,i = 0, for i = 1, . . . , νl , since vi + wi = un−k+l+1 ∈ −supp(f ), for i = 1, . . . , νl . • si,j = 0, for i = 1, . . . , νl , since vi + wj ∈ U ⊥ ∪ {un−k+1 , . . . , un−k+l }, for j < i. That is, vi + wj ∈ / −supp(f ) because H \ (U ⊥ ∪ {un−k+1 , . . . , un−k+l }) = −U \ {un−k+1 , . . . , un−k+l } Therefore, the submatrix of S(c) consisting of the ﬁrst νl rows and columns has full rank. In particular, the rank of S(c) is at least νl and the result holds since the rank of S(c) is equal to the weight of c.
The Order Bound for Toric Codes
5
For every l in {0, . . . , k − 1} we consider a ﬁltration and we obtain a bound for ⊥ the weight of a word in Cl⊥ \ Cl+1 . Therefore, we have obtained the following bound for the minimum distance of C ⊥ = C(U ). Theorem 1. Let C(U ) be a toric code with U ⊂ H. Then, d(C(U )) ≥ min{νl  l = 0, . . . , k − 1}. Remark 1. We can apply known decoding algorithms [4,5] to decode a toric code C(U ) up to half of the order bound obtained in the previous theorem. In the next section we will use the above approach to estimate the minimum distance of a family of toric codes.
4
Generalized Joyner Codes
In this section we will introduce a class of toric codes that includes the wellknown Joyner code [11, Example 3.9]. After introducing these codes, we will calculate a lower bound for their minimum distances using techniques from Section 3. Then we will calculate another lower bound for the minimum distance using a combination of the order bound and Serre’s improvement of HasseWeil’s theorem on the number of rational points on a curve [18]. In some cases we are able to compute the exact minimum distance. In this section we will always assume that r = 2, so that H = {0, . . . , q − 2} × {0, . . . , q − 2}. Definition 1. Let q be a power of a prime and a an integer satisfying 2 ≤ a ≤ q − 2. We define the sets Ua = {(u1 , u2 ) ∈ H  u1 + u2 ≤ a + 1, u1 − au2 ≤ 0, −au1 + u2 ≤ 0}, Ta = {(u1 , u2 ) ∈ H  u1 + u2 ≤ a + 1, u1 ≥ 1, u2 ≥ 1}, Va = Ua \{(1, a)}, and Wa = Ua \{(a, 1)}. The set Ua consists of all elements of H lying in or on the boundary of the triangle with vertices (0, 0), (1, a) and (a, 1). Note that the condition on a ensures that the points (1, a) and (a, 1) are in H. Also note that the set Ua can be obtained by joining (0, 0) to the set Ta . All sets in the above deﬁnition are actually sets of integral points in a polytope, so the corresponding codes are classical toric codes. We wish to investigate the toric code C(Ua ) and begin by establishing some elementary properties: Lemma 2. The code C(Ua ) is an [(q − 1)2 , 1 + a(a + 1)/2, d] code over Fq and we have d ≤ (q − 1)(q − a).
6
P. Beelen and D. Ruano
Proof. Since the set Ua is contained in H, the dimension of the corresponding code is equal to the number of elements in Ua . Since Ua can be obtained by joining {(0, 0)} to the set Ta the formula for the dimension follows by a counting argument. To prove the result on the minimum distance ﬁrst note that the code C(Ta ) is a subcode of C(Ua ). It is well known, [8, Theorem 1.3], that d(C(Ta )) = (q − 1)(q − a), so the result follows.
The code C(U4 ) is the Joyner code over Fq , see [11]. It is known that for q ≥ 37 its minimum distance is equal to (q − 1)(q − 4), [17], meaning that the upper bound in the previous lemma is attained. In fact equality already holds for much smaller q. Using a computer one ﬁnds that q = 8 is the smallest value of q for which equality holds. It is conjectured that for all q ≥ 8 one has that d(C(U4 )) = (q − 1)(q − 4). This behavior turns out to happen as well for other values of a. This is the reason we study these codes in this section. We proceed our investigation by calculating two lower bounds for the minimum distance of the codes C(Ua ). The ﬁrst one holds for any q, while the second one turns out to be interesting only for large q. Proposition 2. The minimum distance d of the Fq linear code C(Ua ) satisfies d ≥ (q − 1)(q − a − 1). Proof. Since d(C(Ta )) = (q − 1)(q − a), the proposition follows once we have shown that wt(c) ≥ (q − 1)(q − a − 1) for any c ∈ C(Ua )\C(Ta ). For such c it holds that c = ev(f ) for some f ∈ Fq [Ua ] satisfying that (0, 0) ∈ supp(f ). We will now use Proposition 1. Any number i between 0 and (q − 1)(q − a − 1) − 1 can be written uniquely as i = βi · (q − 1) + αi with αi and βi integers satisfying 0 ≤ αi ≤ q − 2 and 0 ≤ βi ≤ q − a − 2. For i between 0 and (q − 1)(q − a − 1) − 1 we then deﬁne vi = (αi , βi ) and wi = −vi . By construction of wi it then holds that vi + wi = (0, 0). On the other hand, if j < i, then vi + wj = (0, 0) and 0 ≤ βi − βj ≤ q − a − 2 implying that vi + wj ∈ −Ua . By Proposition 1, we get that wt(c) ≥ (q − 1)(q − a − 1).
For q = 8 and a = 4, the Joyner code case, we obtain that d ≥ 21. An other method to obtain a lower bound for the minimum distance of toric codes is to use intersection theory. For the Joyner code over F8 one can prove in this way that d ≥ 12, [14]. The bound we get compares favorably to it. Another advantage of the order bound techniques is that they are valid for generalized toric codes as well. Now we obtain a second lower bound on the minimum distance of the code C(Ua ). First we need a lemma. Lemma 3. Let c be a nonzero codeword from the code C(Va ) or the code C(Wa ). Then wt(c) ≥ (q − 1)(q − a). Proof. Suppose that c ∈ C(Va ) (the case that c ∈ C(Wa ) can be dealt with similarly by symmetry and will not be discussed below). If c ∈ C(Ta ), we are done. Therefore we can suppose that c ∈ C(Va )\C(Ta ). Exactly as in the proof
The Order Bound for Toric Codes
7
of Proposition 2 we now deﬁne for i between 0 and (q − 1)(q − a) − 1 the tuple ui = (αi , βi ). The only diﬀerence is that now βi is also allowed to be q − a, otherwise everything is the same. Further we also deﬁne wi = −vi . Then we have that vi + wi = (0, 0) and for j < i, we obtain that vi + wj = (0, 0) and 0 ≤ βi − βj ≤ q − a − 1. This implies that vi + wj ∈ −Va . The lemma now follows.
One can use Lemma 3 and the fact that d(C(Ta )) = (q−1)(q−a) [8], to restrict the number of possibilities for a nonzero codeword of weight less than (q − 1)(q − a). Namely, it has to be the evaluation of a function f = λu X u with nonzero coeﬃcients λ(a,1) , λ(0,0) , λ(1,a) . We will use this in the following proposition. We distinguish cases between a = 2 and a > 2. Proposition 3. Let Ua be the set from Definition 1 and let a > 2. The minimum distance d of the code C(Ua ) satisfies a(a − 1) √ 2 d ≥ min (q − 1)(q − a), q − 3q + 2 − 2 q . 2 Proof. Let c ∈ C(Ua ) be a nonzero codeword and suppose that c = ev(f ). If supp(f ) ⊂ Ta then we know that wt(c) ≥ (q − 1)(q − a) from [8] as noted before. If supp(f ) ⊂ Va or supp(f ) ⊂ Wa then wt(c) ≥ (q − 1)(q − a) by Lemma 3. We are left with the case that {(0, 0), (1, a), (a, 1)} ⊂ supp(f ). In this case the Newtonpolygon of the polynomial f is Minkowskiindecomposable which implies that the polynomial f is absolutely irreducible. We can therefore consider the algebraic curve Cf deﬁned by the equation f = 0. From Newtonpolygon theory it follows that this curve has geometric genus at most a(a − 1)/2 and that the edges from (0, 0) to (1, a) and from (0, 0) to (a, 1) correspond to two rational points at inﬁnity using projective coordinates (see [2, Remark 3.18 and Theorem 4.2]). We denote by N the total number of pairs (α, β) ∈ F2q such that √ f (α, β) = 0. We claim that N ≤ q − 1 + a(a − 1)/2 q. If the curve C has no singularities, all solutions (α, β) correspond onetoone to all aﬃne Fq rational points. Taking into account that there at least 2 rational points at inﬁnity (in fact at least 3 if a = 2), the claim follows from Serre’s bound (and can be slightly improved if a = 2). If there are singularities, a solution (α, β) may not correspond to a rational point on C, but for every such solution the genus will drop at least one, so the claim still follows from Serre’s bound. The proposition
now follows, since wt(c) ≥ (q − 1)2 − N . For a = 2 we can determine the exact minimum distance. We will do so in the following theorem. This theorem is formulated using the existence or nonexistence of an elliptic curve with a certain number of points. The theorem is completely constructive, since it is very easy to determine if an elliptic curve deﬁned over Fq with a certain number of points exists. To this end one can use the following fact [20, Theorem 4.1]: Let q be a power of a prime p and let t be an integer. There exists an elliptic curve deﬁned over Fq with q + 1 + t points if and only if the following holds:
8
P. Beelen and D. Ruano
1. p  t and t2 ≤ 4q, 2. e is odd and one of the following holds (a) t = 0, (b) t2 = 2q and p = 2, (c) t2 = 3q and p = 3 , 3. e is even and one of the following holds (a) t2 = 4q, (b) t2 = q and p ≡ 1 mod 3, (c) t = 0 and p ≡ 1 mod 4. Theorem 2. Denote by d the minimum distance of the Fq linear code C(U2 ). Further let t be the largest integer such that 1. 3  q + 1 + t, 2. there exists an elliptic curve defined over Fq with q + 1 + t points. Then we have: d = q 2 − 3q + 3 − t. Proof. Analogously as in the previous proposition we only have to consider codewords coming from functions f such that {(0, 0), (1, 2), (2, 1)} ⊂ supp(f ). We again consider the curve Cf given by the equation f = 0. In this case all three edges of the Newton polygon of f correspond to rational points at inﬁnity. The polynomial f can be written as α + βX1 X2 + γX1 X22 + δX12 X2 , where α, γ and δ are nonzero. We may assume that the curve does not have singularities, since otherwise the geometric genus of Cf is zero, which implies that the equation f = 0 has at most 1 + (q + 1) − 3 = q − 1 solutions in F2q (the ﬁrst term represents the singular point which could have rational coordinates). This would give rise to a codeword of weight at least (q − 1)2 − (q − 1) = q 2 − 3q + 2. By changing variables to U = −γX1 X2 /δ and V = γX12 X2 /δ (or equivalently X1 = −V /U and X2 = δU 2 /(γV )) one can show that the curve Cf is also given by the equation V 2 − βU V /δ + αγV /δ 2 = U 3 . Since we have assumed that the curve Cf is nonsingular, it is an elliptic curve and we already found a Weierstrass equation for it. In (U, V ) coordinates one sees that (0, 0) is a point on the elliptic curve and using the addition formula one checks that this point has order three in the elliptic curve group. Denote the total number of rational points on Cf by q + 1 + t, then clearly there exists an elliptic curve with q + 1 + t points. Since the point (0, 0) has order three, the total number of rational points has to be a multiple of three and it follows that 3q + 1 + t. Reasoning back we see that the total number of aﬃne solutions to the equation f = 0 in F2q equals q + 1 + t − 3 = q − 2 + t. On the other hand there are no solutions with zero coordinates, so we have that wt(ev(f )) = (q − 1)2 − (q − 2 + t). It remains to be shown which values of t are possible when the polynomial f is varied. It is shown in [10, Section 4.2] that any elliptic curve having (0, 0) as a point of order three has a Weierstrass equation of the form V 2 + a1 U V + a3 V = U 3 , with a3 = 0. This implies that t can be any value satisfying the two conditions stated in the formulation of the theorem. Choosing the maximal one among these values gives a codeword of lowest possible nonzero weight. This concludes the proof.
The Order Bound for Toric Codes
9
If a > 2 the situation is more complicated. Given a ﬁxed a the lower bound from Proposition 2 is good for relatively small q, while the lower bound from Proposition 3 becomes better as q becomes larger. A combination of the techniques from Section 3 and this section gives an in general good lower bound for the minimum distance. In some cases we are able to determine the minimum distance and we describe when this happens in the following theorem. Theorem 3. Let q be a prime power and consider a natural number a satisfying 2 < a ≤ q − 2. Define the set Ua as in Definition 1. Then we have the following for the minimum distance d of the Fq linear code C(Ua ): √ d = (q − 1)(q − a) if 2(a − 2)(q − 1) ≥ (a − 1)a2 q. √ Proof. If (q − 1)(q − a) ≤ q 2 − 3q + 2 − a(a − 1)2 q/2, then it follows from Lemma 2 and Proposition 3 that d = (q − 1)(q − a). The theorem follows after some manipulation of this inequality.
For small values of a we obtain the following corollary. Note that the results for a = 4 are the same as in [17]. Corollary 1. We have d(C(U3 )) = (q − 1)(q − 3) d(C(U4 )) = (q − 1)(q − 4) d(C(U5 )) = (q − 1)(q − 5) d(C(U6 )) = (q − 1)(q − 6)
if if if if
q q q q
≥ 37, ≥ 37, = 41 or q ≥ 47, ≥ 59.
As in the case for the Joyner code it seems that the for many small values of q it also holds that d(C(Ua )) = (q − 1)(q − a). We know by Corollary 1 and some computer calculations that d(C(U3 )) = (q −1)(q −3) if q ≥ 23. It is known for the Joyner code that d(C(U4 )) = (q − 1)(q − 4) if q ≥ 8. Finally we conjecture that d(C(U5 )) = (q − 1)(q − 5) if q ≥ 9. It remains future work to prove this conjecture without the aid of a computer and to establish what happens for larger values of a.
References 1. Beelen, P.: The order bound for general algebraic geometric codes. Finite Fields Appl. 13(3), 665–680 (2007) 2. Beelen, P., Pellikaan, R.: The Newton polygon of plane curves with many rational points. Des. Codes Cryptogr. 21(13), 41–67 (2000) 3. Danilov, V.I.: The geometry of toric varieties. Russian Math. Surverys 33(2), 97– 154 (1978) 4. Duursma, I.M.: Majority coset decoding. IEEE Trans. Inform. Theory 39(3), 1067– 1070 (1993) 5. Feng, G.L., Rao, T.R.N.: Improved geometric Goppa codes. I. Basic theory. IEEE Trans. Inform. Theory 41(6, part 1), 1678–1693 (1995) 6. Fulton, W.: Introduction to toric varieties. Annals of Mathematics Studies, vol. 131. Princeton University Press, Princeton (1993)
10
P. Beelen and D. Ruano
7. Hansen, J.P.: Toric surfaces and errorcorrecting codes. In: Buchmann, J., Høholdt, T., Stichtenoth, H., TapiaRecillas, H. (eds.) Coding theory, cryptography and related areas (Guanajuato, 1998), pp. 132–142. Springer, Berlin (2000) 8. Hansen, J.P.: Toric varieties Hirzebruch surfaces and errorcorrecting codes. Appl. Algebra Engrg. Comm. Comput. 13(4), 289–300 (2002) 9. Høholdt, T., van Lint, J.H., Pellikaan, R.: Algebraic geometry of codes. In: Handbook of coding theory, vol. I, II, pp. 871–961. NorthHolland, Amsterdam (1998) 10. Husem¨ oller, D.: Elliptic curves, 2nd edn. Graduate Texts in Mathematics, vol. 111. Springer, New York (2004) 11. Joyner, D.: Toric codes over finite fields. Appl. Algebra Engrg. Comm. Comput. 15(1), 63–79 (2004) 12. Little, J., Schenck, H.: Toric surface codes and Minkowski sums. SIAM J. Discrete Math. 20(4), 999–1014 (2006) 13. Little, J., Schwarz, R.: On toric codes and multivariate Vandermonde matrices. Appl. Algebra Engrg. Comm. Comput. 18(4), 349–367 (2007) 14. Mart´ınezMoro, E., Ruano, D.: Toric codes. In: Advances in Algebraic Geometry Codes. Series on Coding Theory and Cryptology, vol. 5, pp. 295–322. World Scientific, Singapore (2008) 15. Ruano, D.: On the parameters of rdimensional toric codes. Finite Fields Appl. 13(4), 962–976 (2007) 16. Ruano, D.: On the structure of generalized toric codes. J. Symb. Comput. 44(5), 499–506 (2009) 17. Soprunov, I., Soprunova, E.: Toric surface codes and minkowski length of polygons. arXiv:0802.2088v1 [math. AG] (2008) 18. Serre, J.P.: Sur le nombre des points rationnels d’une courbe alg´ebrique sur un corps fini. C. R. Acad. Sci. Paris S´er. I Math. 296(9), 397–402 (1983) 19. Tsfasman, M.A., Vl˘ adut¸, S.G.: Algebraicgeometric codes, Dordrecht. Mathematics and its Applications (Soviet Series), vol. 58 (1991) ´ 20. Waterhouse, W.C.: Abelian varieties over finite fields. Ann. Sci. Ecole Norm. Sup. 2(4), 521–560 (1969)
An Extension of the Order Bound for AG Codes Iwan Duursma and Radoslav Kirov Department of Mathematics, University of Illinois at UrbanaChampaign, 1409 W. Green Street (MC382) Urbana, Illinois 618012975 http://www.math.uiuc.edu/{~ duursma, ~rkirov2}
Abstract. The most successful method to obtain lower bounds for the minimum distance of an algebraic geometric code is the order bound, which generalizes the FengRao bound. By using a ﬁner partition of the set of all codewords of a code we improve the order bounds by Beelen and by Duursma and Park. We show that the new bound can be eﬃciently optimized and we include a numerical comparison of diﬀerent bounds for all twopoint codes with Goppa distance between 0 and 2g − 1 for the Suzuki curve of genus g = 124 over the ﬁeld of 32 elements. Keywords: Algebraic geometric code, order bound, Suzuki curve.
1
Introduction
To obtain lower bounds for the minimum distance of algebraic geometric codes we follow [7] and exploit a relation between the minimum distance of algebraic geometric codes and the representation of divisor classes by diﬀerences of base point free divisors. Theorem 2 gives a new improved lower bound for the weight of vectors in a subset of the code. In Section 5 we outline methods to eﬃciently optimize lower bounds for the minimum distance using the theorem. Section 6 has tables that compare diﬀerent bounds for twopoint Suzuki codes over the ﬁeld of 32 elements. Let X/F be an algebraic curve (absolutely irreducible, smooth, projective) of genus g over a ﬁnite ﬁeld F. Let F(X) be the function ﬁeld of X/F. A nonzero rational function f ∈ F(X) has divisor (f ) = P ∈X ordP (f )P = (f )0 − (f )∞ , where the positive part (f )0 gives the zeros of f and their multiplicities, and the negative part (f )∞ gives the poles of f and their multiplicities. A divisor D = P mP P is principal if it is of the form D = (f ) for some f ∈ F(X). Two divisors D and D are linearly equivalent if D = D + (f ) for some f ∈ F(X). Given a divisor D on X deﬁned over F, let L(D) denote the vector space over F of nonzero functions f ∈ F(X) for which (f ) + D ≥ 0 together with the zero function. A point P is a base point for the linear system of divisors {(f ) + D : f ∈ L(D)} if (f ) + D ≥ P for all f ∈ L(D), that is to say if L(D) = L(D − P ). We give the deﬁnition of an algebraic geometric code. For n distinct rational points P1 , . . . , Pn on X and for disjoint divisors D = P1 + · · · + Pn and G, the geometric Goppa code CL (D, G) is deﬁned as the image of the map αL : L(G) −→ F n , f → ( f (P1 ), . . . , f (Pn ) ). M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 11–22, 2009. c SpringerVerlag Berlin Heidelberg 2009
12
I. Duursma and R. Kirov
With the Residue theorem, the dual code CL (D, G)⊥ can be expressed in terms of diﬀerentials. Let Ω(X) be the module of rational diﬀerentials for X/F. For a given divisor E on X deﬁned over F, let Ω(E) denote the vector space over F of nonzero diﬀerentials ω ∈ Ω(X) for which (ω) ≥ E together with the zero diﬀerential. Let K represent the canonical divisor class. The geometric Goppa code CΩ (D, G) is deﬁned as the image of the map αΩ : Ω(G − D) −→ F n , ω → ( ResP1 (ω), . . . , ResPn (ω) ). The code CΩ (D, G) is the dual code for the code CL (D, G). We use the following characterization of the minimum distance. Proposition 1. [7, Proposition 2.1] For the code CL (D, G), and for C = D−G, d(CL (D, G)) = min{deg A : 0 ≤ A ≤ D  L(A − C) = L(−C)}. For the code CΩ (D, G), and for C = G − K, d(CΩ (D, G)) = min{deg A : 0 ≤ A ≤ D  L(A − C) = L(−C)}. Proof. There exists a nonzero word in CL (D, G) with support in A, for 0 ≤ A ≤ D, if and only if L(G − D + A)/L(G − D) = 0. There exists a nonzero word in CΩ (D, G) with support in A, for 0 ≤ A ≤ D, if and only if Ω(G − A)/Ω(G) = 0 if and only if L(K − G + A)/L(K − G) = 0. It is clear that in each case d ≥ deg C. The lower bound dGOP = deg C is the Goppa designed minimum distance of a code.
2
Coset Bounds
For a point P disjoint from D, consider the subcodes CL (D, G − P ) ⊆ CL (D, G) and CΩ (D, G + P ) ⊆ CΩ (D, G). Proposition 2. [7, Proposition 3.5] Let A = supp(c) be the support of a codeword c = (cP : P ∈ D), with 0 ≤ A ≤ D. For C = D − G, c ∈ CL (D, G)\CL (D, G − P ) ⇒ L(A − C) = L(A − C − P ). For C = G − K, c ∈ CΩ (D, G)\CΩ (D, G + P ) ⇒ L(A − C) = L(A − C − P ). Proof. There exists a word in CL (D, G)\CL (D, G − P ) with support in A, for 0 ≤ A ≤ D, if and only if CL (D, G − (D − A)) = CL (D, G − P − (D − A)) only if L(G−D+A) = L(G−D+A−P ). There exists a word in CΩ (D, G)\CΩ (D, G+P ) with support in A, for 0 ≤ A ≤ D, if and only if CΩ (A, G) = CΩ (A, G + P ) only if Ω(G − A) = Ω(G − A + P ), which can be expressed as L(K − G + A) = L(K − G + A − P ).
An Extension of the Order Bound for AG Codes
13
The order bound for the minimum distance of an algebraic geometric code is motivated by the decoding procedures in [10], [8] and combines estimates for the weight of a word c ∈ CL (D, G)\ CL (D, G − P ), or c ∈ CΩ (D, G)\ CΩ (D, G + P ). The basic version (often referred to as the simple or ﬁrst order bound [13], [4]) takes the form d(CL (D, G)) = min( min{wt(c) : c ∈ CL (D, G − iP )\CL (D, G − (i + 1)P )} ), i≥0
d(CΩ (D, G)) = min( min{wt(c) : c ∈ CΩ (D, G + iP )\CL (D, G + (i + 1)P )} ). i≥0
The order bound makes it possible to use separate estimates for diﬀerent subsets of codewords. The bound is successful if for each subset, i.e. for each i, we can ﬁnd an estimate that is better than a uniform lower bound for all codewords. Methods that provide uniform lower bounds include the Goppa designed minimum distance and bounds of ﬂoor type [17], [16], [11], [7]. It follows from the Singleton bound that the minimum distance of an algebraic geometric code can not exceed its designed minimum distance by more than g, where g is the genus of the curve. This implies that the minimum in the order bound occurs for i ∈ {0, . . . , g}. For a curve X deﬁned over the ﬁeld F, let Pic(X) be the group of divisor classes. Let Γ = {A : L(A) = 0} be the semigroup of eﬀective divisor classes. For a divisor class C, deﬁne Γ (C) = {A : L(A) = 0 and L(A − C) = 0}, Γ ∗ (C) = {A : L(A) = 0 and L(A − C) = L(−C)}. The semigroup Γ (C) has the property that A + E ∈ Γ (C) whenever A ∈ Γ (C) and E ∈ Γ. With the extra structure Γ (C) is a semigroup ideal. Similar for Γ ∗ (C). For a suitable choice of divisor class C, the subsets of coordinates A that support a codeword in an algebraic geometric code CL (D, G) or CΩ (D, G) belong to the semigroup ideals Γ ∗ (C) ⊆ Γ (C). c ∈ CL (D, G)\{0} ⇒ A = supp(c) ∈ Γ ∗ (C) ⊆ Γ (C), c ∈ CΩ (D, G)\{0} ⇒ A = supp(c) ∈ Γ ∗ (C) ⊆ Γ (C). Following [7], our approach from here on will be to estimate the minimal degree of a divisor A ∈ Γ ∗ (C). For that purpose we no longer need to refer to the codes CL (D, G) or CΩ (D, G) after we choose C = D − G or C = G − K, respectively. We write C(C) to refer to any code with designed minimum support D − G or G − K in the divisor class C. In this short paper, we restrict ourselves to the case deg C > 0 (i.e. to codes with positive Goppa designed minimum distance), so that L(−C) = 0, and Γ ∗ (C) = Γ (C). The case deg C ≤ 0 is handled with a straightforward modiﬁcation similar to that used in [7]. To apply the order bound argument we restate Proposition 2 in terms of semigroup ideals. For a given point P ∈ X, let ΓP = {A : L(A) = L(A − P )} be
14
I. Duursma and R. Kirov
the semigroup of eﬀective divisor classes with no base point at P . For a divisor class C and for a point P , deﬁne the semigroup ideal ΓP (C) = {A : L(A) = L(A − P ) and L(A − C) = L(A − C − P )}. The implications in Proposition 2 become c ∈ CL (D, G)\CL (D, G − P ) ⇒ A = supp(c) ∈ ΓP (C), c ∈ CΩ (D, G)\CΩ (D, G + P ) ⇒ A = supp(c) ∈ ΓP (C). Let ΔP (C) be the complement of ΓP (C) in ΓP , ΔP (C) = {A : L(A) = L(A − P ) and L(A − C) = L(A − C − P )}. Theorem 1. (DuursmaPark [7]) Let {A1 ≤ A2 ≤ · · · ≤ Aw } ⊂ ΔP (C) be a sequence of divisors with Ai+1 ≥ Ai + P , for i = 1, . . . , w − 1. Then deg A ≥ w, for every divisor A ∈ ΓP (C) with support disjoint from Aw − A1 . Proof. A more general version is proved in the next section.
3
Order Bounds
Following [1], we use the order bound with a sequence of points {Qi : i ≥ 0}. For Ri = Q0 + Q1 + · · · + Qi−1 , i ≥ 0, c ∈ CL (D, G − Ri )\CL (D, G − Ri − Qi ) ⇒ A = supp(c) ∈ ΓQi (C + Ri ), c ∈ CΩ (D, G + Ri )\CΩ (D, G + Ri + Qi ) ⇒ A = supp(c) ∈ ΓQi (C + Ri ). Repeated application of Theorem 1 gives the following bound for the minimum distance. Corollary 1. (DuursmaPark bound dDP for the minimum distance) Let deg A ≥ w for A ∈ ΓQi (C + Ri ), i ≥ 0 Then a code with designed minimum support in the divisor class C and with divisor D disjoint from Aw − A1 as required by the application of Theorem 1, has minimum distance at least w. The Beelen bound dB for the minimum distance [1, Theorem 7, Remark 5] is similar but assumes in the application of Theorem 1 that Aw − A1 has support in the single point Qi , for a seqeunce {A1 ≤ A2 ≤ · · · ≤ Aw } ⊂ ΔQi (C + Ri ). The Beelen bound dB has a weaker version (which we will denote by dB0 ) that assumes that moreover A1 has support in the point Qi . The simple or ﬁrst order bound uses the further specialization that Qi = P for i ≥ 0. For G = K + C, such that deg C > 0, and for D disjoint from P , the simple order bound becomes d(CL (D, G)⊥ ) ≥ min #(ΔP (C + iP ) ∩ {jP : j ≥ 0}). i≥0
For G = mP this is the original FengRao bound.
An Extension of the Order Bound for AG Codes
15
The purpose of the order bound is to improve on uniform bounds such as the ﬂoor bound. In rare occasions the Beelen bound is less than bounds of ﬂoor type [1], [7] (this is the case for a single code in Table 1). Compared to the Beelen bound, the ABZ order bound dABZ [7, Theorem 6.6] allows Aj+1 − Aj ∈ {kQi : k > 0} for a single j in the range j = 1, . . . , w − 1. With that modiﬁcation the ABZ order bound always is at least the ABZ ﬂoor bound dABZ [7, Theorem 2.4] which is the best known bound of ﬂoor type. In general, dB0 ≤ dB ≤ dABZ ≤ dDP and dABZ ≤ dABZ .
4
Extension of the Order Bound
We seek to exploit the argument in the order bound a step further by using a partition CL (D, G − iP )\CL (D, G − (i + 1)P ) = ∪j≥0 CL (D, G − iP − jQ)\ (CL (D, G − (i + 1)P − jQ) ∪ CL (D, G − iP − (j + 1)Q). We apply the argument in the setting of the divisor semigroups. For a ﬁnite set S of rational points, let ΓS = ∩P ∈S ΓP , and let ΓS (C) = {A ∈ ΓS : A − C ∈ ΓS }, so that ΓS (C) = ∩P ∈S ΓP (C). Let ΔS (C) = ∪P ∈S ΔP (C). Proposition 3. For a divisor class C, for a finite set of rational points S, and for P ∈ S, ΓS (C) ∩ ΓP = ∪i≥0 ΓS∪P (C + iP ). Proof. Since P ∈ S, P ∈ ΓS , and, for A − C − iP ∈ ΓS , A − C ∈ ΓS . Therefore ΓS∪P (C + iP ) = ΓS (C + iP ) ∩ ΓP (C + iP ) ⊆ ΓS (C) ∩ ΓP . For the other inclusion, let A ∈ ΓS (C)∩ΓP . Then A−C ∈ ΓS and L(A−C) = 0. Choose i ≥ 0 maximal such that L(A − C) = L(A − C − iP ). Then A − C − iP ∈ ΓS∪P . As a special case Γ (C) ∩ ΓP = ∪i≥0 ΓP (C + iP ). Theorem 1 gives a lower bound for deg A, for A ∈ ΓP (C). Combination of the lower bounds for C ∈ {C + iP : i ≥ 0} then gives a lower bound for deg A, for A ∈ Γ (C) ∩ ΓP . In combination with Γ (C + iP ) ∩ ΓQ = ∪j≥0 Γ{P,Q} (C + iP + jQ), we obtain, for S = {P, Q}, Γ (C) ∩ ΓS = ∪i,j≥0 ΓS (C + iP + jQ). The next theorem gives a lower bound for deg A, for A ∈ ΓS (C). For S = {P, Q}, combination of the lower bounds for C ∈ {C + iP + jQ : i, j ≥ 0} then gives a lower bound for deg A, for A ∈ Γ (C) ∩ ΓS . Theorem 2. (Main theorem) Let {A1 ≤ A2 ≤ · · · ≤ Aw } ⊂ ΔS (C) be a sequence of divisors with Ai ∈ ΔPi (C), Pi ∈ S, for i = 1, . . . , w, such that Ai − Pi ≥ Ai−1 for i = 2, . . . , w. Then deg A ≥ w, for every divisor A ∈ ΓS (C) with support disjoint from Aw − A1 .
16
I. Duursma and R. Kirov
Lemma 1. For D ∈ ΓP (C), ΔP (C) ⊆ ΔP (D ). Proof. For D − C ∈ ΓP , if A − C ∈ ΓP then A − D ∈ ΓP . Lemma 2. Let lC (A) = l(A) − l(A − C). Then A ∈ ΔP (C) ⇔ lC (A) − lC (A − P ) = 1. Proof. lC (A) − lC (A − P ) = 1 ⇔ (l(A) − l(A − P )) − (l(A − C) − l(A − C − P )) = 1 ⇔ l(A) − l(A − P ) = 1 ∧ l(A − C) − l(A − C − P ) = 0 ⇔ A ∈ ΔP (C). Proof. (Theorem 2) For A = D ∈ ΓS (C) ⊆ ΓPi (C) and for Ai ∈ ΔPi (C), Ai ∈ ΔPi (D ), by Lemma 1, and lD (Ai ) = lD (Ai − Pi ) + 1 by Lemma 2. With Ai − Pi ≥ Ai−1 , there exists a natural map L(Ai−1 )/L(Ai−1 − D ) −→ L(Ai − Pi )/L(Ai − Pi − D ). With (Ai − Pi ) − Ai−1 disjoint form D , the map is injective, since L(Ai−1 ) ∩ L(Ai − Pi − D ) = L(Ai−1 − D ). So that lD (Ai − Pi ) ≥ lD (Ai−1 ). Iteration over i yields deg D ≥ lD (Aw ) ≥ lD (Aw−1 ) + 1 ≥ · · · ≥ lD (A1 ) + w − 1 ≥ lD (A1 − P1 ) + w. To obtain lower bounds with the theorem, we need to construct sequences of divisors in ΔS (C). In the next section we discuss how this can be done eﬀectively.
5
Eﬃcient Computation of the Bounds
The main theorem can be used eﬃciently to compute coset distances, which in turn can be used to compute twopoint code distances. To compute with a certain curve we use, for given points P and Q, a function dP,Q that encapsulates some geometric properties of the curve [7], see also [2], [14]. Lemma 3. Let B be a divisor and let P, Q be distinct points. There exists a unique integer k(B, P, Q) such that B + k P ∈ ΓQ if and only if k ≥ k(B, P, Q) Proof. This amounts to showing that B + kP ∈ ΓQ implies B + (k + 1)P ∈ ΓQ . Now use that ΓQ is a semigroup and that P ∈ ΓQ . Let us restrict our attention to twopoint divisors. Using the previous notation deﬁne the following integer valued function. dP,Q (a) = k(aQ, P, Q) + a
An Extension of the Order Bound for AG Codes
17
Theorem 3. For a divisor A with support in {P, Q}, A ∈ ΓQ ⇔ deg(A) ≥ dP,Q (AQ ). Proof. Let A = kP +aQ, then deg(A) ≥ dP,Q (a) is equivalent to k ≥ k(aQ, P, Q), which by deﬁnition is aQ + kP ∈ ΓQ . This property makes the d function a powerful computational tool. Moreover, for m such that mP ∼ mQ, d is deﬁned modulo m. In general, the function d depends on the ordering of the points P and Q, but it is easy to see that the functions dP,Q and dQ,P satisfy the relation dP,Q (a) = a + b if and only if dQ,P (b) = a + b. The function d = dP,Q and the parameter m are enough to compute sequences of twopoint divisors Ai ∈ ΔP (C) as required by Theorem 1. A simple application of the RiemannRoch Theorem give us that we can restrict our search to a ﬁnite range of divisors, since, for A ∈ ΔP (C), min{0, deg C} ≤ deg A ≤ max{2g − 1, deg C + 2g − 1}. Using mP ∼ mQ, we can assume moreover, for A = AP P + AQ Q, that AQ ∈ [0, . . . , m − 1]. To ﬁnd long sequences of divisors Ai ∈ ΔP (C) we use a graph theory weightmaximizing algorithm on a rectangular grid T , such that Ti,j is a path of longest length up to the divisor A with degree i and AQ = j (i.e. A = iP + j(Q − P )). Computing bounds for the coset C(C)\C(C + P ) with Theorem 1 1. Initialize the ﬁrst row of T (corresponding to degree i = min{0, deg C} − 1) with 0. 2. Update each row of T successively by the rule Ti,j = max{Ti−1,j−1 , Ti−1,j + BPi,j } where BPi,j is 1 if A ∈ ΔP (C) and 0 otherwise, for the divisor A of degree i with AQ = j. BPi,j is computed using Theorem 3. 3. Iterate up to the last row (corresponding to degree i = max{2g − 1, deg C + 2g − 1}). 4. Return the maximum value in the last row. Using the algorithm we compute bounds for the cosets C(C, S)\C(C + P, S) and C(C, S)\C(C + Q, S) over all possible divisors C. We store them in arrays CP and CQ where the row denotes the degree of C and the column is CQ (mod m). For rational points P and Q such that dP,Q = dQ,P , we can save some work and obtain the table CQ from CP with the relabeling CQi,j = CPi,j for j = i − j (mod m). After computing the coset bounds, we traverse all possible coset ﬁltrations of all codes to ﬁnd bounds for the minimum distances. We use a graph theory ﬂowmaximizing algorithm on a rectangular grid D, such that Di,j is a bound for the minimum distance of a code C(C) with C of degree i and CQ = j. Computing bounds for the distances of all codes C(C) using P coset and Qcoset tables 1. Initialize the last row of D (corresponding to degree i = 2g) with 2g.
18
I. Duursma and R. Kirov
2. Update each row of D successively by the rule Di,j = max{min{Di+1,j , CPi,j }, min{Di+1,j+1 , CQi,j }} 3. Iterate up to the ﬁrst row (corresponding to degree i = 0). Theorem 2 can be used to obtain improved lower bounds for the cosets C(C)\C (C + P ) and C(C)\C(C + Q). The basic algorithm is the same as before with an extra step of using the table of all bounds for C(C, S)\ ∪P ∈S C(C + P, S) to produce the P  and Qcoset tables. Computing P  and Qcoset bounds using Theorem 2 1. Compute table CS with bounds for C(C, S)\ ∪P ∈S C(C + P, S). This step is done in exactly the same way as the computation for Theorem 1, but the new table T for each C has the update rule Ti,j = max{Ti−1,j−1 + BQi,i−j , Ti−1,j + BP i, j} 2. Initialize CP and CQ at the top row (corresponding to degree i = 2g) with 2g. 3. Compute CP in decreasing row order using the rule CPi,j = min{CPi+1,j+1 , Ti,j }. 4. Compute CQ in decreasing row order using the rule CQi,j = min{CQi+1,j , Ti,j }. Once the P  and Qcoset bounds are known, exactly the same minimizing ﬂow method as the one used for obtaining dDP can be used for an improved bound, denoted dDK .
6
Tables for the Suzuki Curve over F32
The Suzuki curve over the ﬁeld of q = 2q02 elements is deﬁned by the equation y q + y = xq0 (xq + x). The curve has q 2 + 1 rational points and genus g = q0 (q − 1). The semigroup of Weierstrass nongaps at a rational point is generated by {q, q+q0 , q+2q0 , q+2q0 +1}. For any two rational points P and Q there exists a function with divisor (q + 2q0 + 1)(P − Q). Let m = q + 2q0 + 1 = (q0 + 1)2 + q0 2 , and let H be the divisor class containing mP ∼ mQ. The canonical divisor K ∼ 2(q0 − 1)H. For the Suzuki curve over the ﬁeld of 32 elements we use q0 = 4, q = 32, g = 124, m = 41, K ∼ 6H. The action of the automorphism group on the rational points of the curve is 2transitive, so that dP,Q (a) = d(a) does not depend on the choice of the points P and Q. For the Suzuki curve with parameter q0 , the d function is given by d(k) = (q0 − a)(q − 1) where a,b are the unique integers such that a + b ≤ q0 and k ≡ a(q0 + 1) + bq0 − q0 (q0 + 1) (mod m). A detailed explanation of the geometry behind this result
An Extension of the Order Bound for AG Codes
19
can be found in [7]. To store the function d as a list, we go through all integers a and b with a + b ≤ q0 . To compute d(k) for a single value k, we may use d(k) = (q − 1)(2q0 − q(k − 1, 2q0 + 1)+ − q(r(k − 1, 2q0 + 1), q0 + 1) − r(r(k − 1, 2q0 + 1), q0 + 1)), where q(a, b) and r(a, b) are the quotient and the remainder, respectively, when a is divided by b, and k − 1 is taken modulo m. Table 1. Number of improvements of one bound over another (top), and the maximum improvement (bottom), based on 10168 twopoint codes for the Suzuki curve over F32 Floor bounds dBP T dGOP dBP T
Order bounds
dLM dGST dABZ
dB0
dB dABZ dDP dDK
6352 6352 6352 6352 6352 6352 · 4527 4551 4597 5260 5264
6352 6352 6352 5264 5264 5274
dLM dGST dABZ
· · ·
· 2245 2852 4711 4729 · · 2213 4711 4729 · · · 4665 4683
4731 4731 4757 4731 4731 4757 4685 4685 4711
dB0 dB dABZ dDP
· · · ·
1 1 · ·
1 1 · ·
1 1 · ·
· 176 · · · · · ·
374 412 1643 198 236 1565 · 38 1404 · · 1366
dGOP dBP T
1 ·
8 7
13 12
21 20
33 32
33 32
33 32
33 32
33 32
dLM dGST dABZ
· · ·
· · ·
7 · ·
15 8 ·
28 24 24
28 24 24
28 24 24
28 24 24
28 24 24
dB0 dB dABZ dDP
· · · ·
1 1 · ·
1 1 · ·
1 1 · ·
· · · ·
1 · · ·
5 5 · ·
5 5 1 ·
6 6 6 6
Table 2. Improvements of dDP and dDK over dB for 10168 twopoint codes dDK − dDP = dDP − dB
0
1
2
3
4
= 0 8603 656 356 198 50 1 92 12 0 0 0 2 33 4 0 0 0 3 74 4 1 0 0 4 0 0 0 0 0 5 0 16 0 0 0
5
6
6 63 0 0 0 0 0 0 0 0 0 0
20
I. Duursma and R. Kirov
Table 3. Optimal codes (For given deg C = 2, . . . , 124 (= g), dDK is the maximum lower bound for a twopoint code deﬁned with C = CP P + CQ Q, and CQ gives values for which the maximum is achieved. Suppressed are divisors that deﬁne subcodes with the same minimum distance as already listed codes. Exchanging P and Q gives a similar code and listed are only divisors with CQ (mod m) ≤ CP (mod m). The last columns give the amount by which dDK exceeds similarly deﬁned maximum lower bounds for dDP and dB , respectively. deg C dDK CQ 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
31 31 31 32 32 32 38 38 38 44 44 44 44 48 48 48 50 50 51 54 54 54 54 54 54 54 56 56 58 58 58 59 61 62 62 62 62 62 62 62 62
· · · [0] · · · [2] · · · [1] · [6] · · · [5] · · · [8] · · [9] · [10] · · · · · · · [12] · · [13] 2 [10] 2 2 [12] 3 [13] 3 [10 14] 3 [17] 3 3 2 2 2 2 2 [5]
deg C dDK CQ · · · · · · 3 3 3 · · · · 1 · · 1 · 1 3 3 1 3 · · · 1 · 2 2 2 3 3 3 3 3 2 2 2 2 2
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
62 62 63 64 64 64 68 68 70 72 72 72 74 75 75 75 75 77 77 78 79 80 80 81 83 85 85 85 87 87 87 87 89 91 91 91 91 93 93 93 93
· · [5] · [0] · · · [2] · · [2, 4] · [1] · [4, 6] · · [7] 2 [7] 2 · · · [8] · · [10] · [10] 1 [11] 2 [8] · [5] 1 [10] 1 [11] 2 1 [5, 9] 1 [10] 3 2 [7, 16] · · [10] 1 [10, 11] 3 1 [8] 1 [5, 7] · [10, 11] 2 2 1 [7] · [5]
deg C dDK CQ · · · · · · 2 2 2 · · · 2 3 2 · · · · · 1 2 · 1 1 2 1 1 3 2 · · 1 3 1 1 · 2 2 1 1
84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124
94 94 96 96 96 96 99 100 102 102 103 104 106 106 106 108 110 110 110 112 112 114 114 114 116 118 118 118 120 120 121 121 122 123 124 124 124 125 126 127 128
[1] [0, 5] [1] [0]
[1, 2] [2, 3] [3] [5] [2] [7]
[2, 6] [7]
[6] [2] [7] [9] [2, 6, [7]
[6] [2] [7] [2, [2, [2, [2,
6, 6, 6, 6,
[1, 5, [1] [1] [1] [0]
· · · · · · · · · · · · · · · · · · · · · 1 1 · 7] · 2 2 1 1 1 2 9] 1 7, 10, 15] · 7] 1 7] 2 1 10, 19] · · · · ·
1 · 1 · · · · · · · · · · · · · · · · · · 1 1 · · 2 2 1 1 1 2 1 · 1 2 1 · · · · ·
An Extension of the Order Bound for AG Codes
21
Table 1 compares the Goppa bound dGOP , the base point bound dBP T (an improvement of the Goppa bound by one whenever C has a base point), the ﬂoor bounds dLM [16, Theorem 3], dGST [11, Theorem 2.4], dABZ [7, Theorem 2.4], and the order bounds dB0 , dB , dABZ , dDP , dDK . Each bound was optimized over the full parameter space corresponding to that bound. The computations for the Suzuki curve of genus g = 124 over F32 were very eﬃcient, computations for the 2g · m = 10168 twopoint codes with Goppa designed minimum distance in the range 0, . . . , 2g − 1, took less than 10 minutes on a desktop PC for any given bound. As can be seen, the Beelen bound dB oﬀers only slight improvement over the weaker Beelen bound dB0 . Similar for the improvement of the DuursmaPark bound dDP over the weaker ABZ bound dABZ . Table 2 gives a further breakdown of the 236 codes for which dDP improves dB and the 1366 codes for which dDK improves dDP . The improvements are by at most 5 and 6, respectively. The 63 codes with dDK = dDP + 6 all have dDK = 62 which agrees with the actual minimum distance (namely realized by a choice of 62 points with P1 + . . . + P62 ∼ 31P + 31Q). For each of the 63 codes, the coset with C = 23P + 23Q is the unique coset where Theorem 1 fails to give a lower bound above 56. For the same coset, Theorem 2 gives a lower bound of 62, for example with a sequence A1 , . . . , A62 of type {A1 = 24Q, . . . , A24 = 114P + 24Q} (⊆ ΔP (C)) ∪ {A25 = 114P + 25Q, . . . , A38 = 114P + 40Q} (⊆ ΔQ (C)) ∪ {A39 = 156P, . . . , A62 = 270P } (⊆ ΔP (C)). Table 1 and Table 2 do not show whether the improvements occur for good codes or for poor codes. For Table 3 we select for each degree deg C, i.e. for each given Goppa designed minimum distance, the optimal code with respect to each of the bounds dB , dDP , dDK and we compare those. In this case, depending on the degree, the improvements of dDK , obtained with Theorem 2, over the bounds dB and dDP vary between 0 and 3.
References 1. Beelen, P.: The order bound for general algebraic geometric codes. Finite Fields Appl. 13(3), 665–680 (2007) 2. Beelen, P., Tuta¸s, N.: A generalization of the Weierstrass semigroup. J. Pure Appl. Algebra 207(2), 243–260 (2006) 3. BrasAmor´ os, M., O’Sullivan, M.E.: On semigroups generated by two consecutive integers and improved Hermitian codes. IEEE Trans. Inform. Theory 53(7), 2560– 2566 (2007) 4. Campillo, A., Farr´ an, J.I., Munuera, C.: On the parameters of algebraicgeometry codes related to Arf semigroups. IEEE Trans. Inform. Theory 46(7), 2634–2638 (2000) 5. Carvalho, C., Torres, F.: On Goppa codes and Weierstrass gaps at several points. Des. Codes Cryptogr. 35(2), 211–225 (2005)
22
I. Duursma and R. Kirov
6. Chen, C.Y., Duursma, I.M.: Geometric ReedSolomon codes of length 64 and 65 over F8 . IEEE Trans. Inform. Theory 49(5), 1351–1353 (2003) 7. Duursma, I., Park, S.: Coset bounds for algebraic geometric codes, 36 pages (2008) (submitted), arXiv:0810.2789 8. Duursma, I.M.: Majority coset decoding. IEEE Trans. Inform. Theory 39(3), 1067– 1070 (1993) 9. Duursma, I.M.: Algebraic geometry codes: general theory. In: Munuera, C., MartinezMoro, E., Ruano, D. (eds.) Advances in Algebraic Geometry Codes. Series on Coding Theory and Cryptography. World Scientiﬁc, Singapore (to appear) 10. Feng, G.L., Rao, T.R.N.: Decoding algebraicgeometric codes up to the designed minimum distance. IEEE Trans. Inform. Theory 39(1), 37–45 (1993) 11. G¨ uneri, C., Sitchtenoth, H., Taskin, I.: Further improvements on the designed minimum distance of algebraic geometry codes. J. Pure Appl. Algebra 213(1), 87– 97 (2009) 12. Hansen, J.P., Stichtenoth, H.: Group codes on certain algebraic curves with many rational points. Appl. Algebra Engrg. Comm. Comput. 1(1), 67–77 (1990) 13. Høholdt, T., van Lint, J.H., Pellikaan, R.: Algebraic geometry of codes. In: Handbook of coding theory, vol. I, II, pp. 871–961. NorthHolland, Amsterdam (1998) 14. Kim, S.J.: On the index of the Weierstrass semigroup of a pair of points on a curve. Arch. Math. (Basel) 62(1), 73–82 (1994) 15. Kirfel, C., Pellikaan, R.: The minimum distance of codes in an array coming from telescopic semigroups. IEEE Trans. Inform. Theory 41(6, part 1), 1720–1732 (1995); Special issue on algebraic geometry codes 16. Lundell, B., McCullough, J.: A generalized ﬂoor bound for the minimum distance of geometric Goppa codes. J. Pure Appl. Algebra 207(1), 155–164 (2006) 17. Maharaj, H., Matthews, G.L.: On the ﬂoor and the ceiling of a divisor. Finite Fields Appl. 12(1), 38–55 (2006) 18. Matthews, G.L.: Weierstrass pairs and minimum distance of Goppa codes. Des. Codes Cryptogr. 22(2), 107–121 (2001) 19. Matthews, G.L.: Codes from the Suzuki function ﬁeld. IEEE Trans. Inform. Theory 50(12), 3298–3302 (2004)
Sparse Numerical Semigroups C. Munuera1 , F. Torres2 , and J. Villanueva2 1
2
Dept. of Applied Mathematics, University of Valladolid Avda Salamanca SN, 47012 Valladolid, Castilla, Spain IMECCUNICAMP, Cx.P. 6065, 13083970, CampinasSP, Brasil
Abstract. We investigate the class of numerical semigroups verifying the property ρi+1 − ρi ≥ 2 for every two consecutive elements smaller than the conductor. These semigroups generalize Arf semigroups.
1
Introduction
Let N0 be the set of nonnegative integers and H = {0 = ρ1 < ρ2 < · · ·} ⊆ N0 be a numerical semigroup of ﬁnite genus g. This means that the complement N0 \H is a set of g integers called gaps, Gaps(H) = {1 , . . . , g }. Then c = g + 1 is the smallest integer such that c + h ∈ H for all h ∈ N0 . The number c is called the conductor of H and clearly c = ρc−g+1 . Semigroups play an important role in the theory of one point algebraic geometry codes. In fact, the computation of the order bound on the minimum distance of such a code C(X , D, mQ) –constructed from a curve X , a divisor D on X and a point Q of X – involves computations in the Weierstrass semigroup associated to Q (see Section 5 and [6] for more details). Some families of semigroups have been studied in deep from this point of view. Relevant for this article are Arf and inductive semigroups. Let us remember that the semigroup H is said to be Arf if ρi + ρj − ρk ∈ H for i ≥ j ≥ k ≥ 0. The study of Arf semigroups has been carried in the context of Coding Theory, [3],[5], and Local Algebra Theory, [1], [2], [7], among others (see [12] and the references therein). Inductive semigroups are a particular class of Arf semigroups ([5]). A sequence (Sn ) of semigroups is called inductive if there exist sequences of positive integers (an ) and (bn ) such that S1 = N0 and for n > 1, Sn = an Sn−1 ∪ {m ∈ N0 : m ≥ an bn }. A semigroup is called inductive if it is a member of an inductive sequence. Note that the Arf condition implies (see Corollary 1 below) i − i−1 ≤ 2,
for i = 2, . . . , g,
(1)
or equivalently ρi+1 − ρi ≥ 2 for i = 1, . . . , c − g. There are numerical semigroups satisfying (1) which are not Arf, e.g. those given in Example 1. This fact provides a motivation to introduce and study the class of semigroups for which (1) holds. These will be called sparse. Let us remark that there exist other generalizations of Arf semigroups, proposed by diﬀerent authors. For example, in ([4]) the Arf property is extended to a widely class of semigroups via the concept of patterns of semigroups. The sparse and pattern properties are disjoint in general. M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 23–31, 2009. c SpringerVerlag Berlin Heidelberg 2009
24
C. Munuera, F. Torres, and J. Villanueva
From a geometrical point of view, sparse semigroups are closely related to Weierstrass semigroups arising in double covering of curves, cf. [14]. Its arithmetical structure is strongly inﬂuenced by the parity of its largest gap g . Recall that for all semigroups we have g ≤ 2g − 1 ([9]). When equality holds then the semigroup is called symmetric. For even g we consider the family Hg,k := {H : H is a sparse semigroup of genus g and g = 2g − 2k}.
(2)
For each H ∈ Hg,k we prove that g ≤ 6k − 3 (Theorem 2); this was noticed by Barucci et al. [2, Thm. I.4.5] and BrasAmor´ os [3, Prop. 3.2] when k = 1. The approach used here is quite diﬀerent from theirs. In particular we show that ∪g Hg,k is ﬁnite. For g odd, write g = 2g − (2γ + 1) with γ ≥ 0 an integer. We prove (Theorem 3) that for g large enough with respect to γ, H is of the form ¯ ∪ {h ∈ N : h ≥ 2g − 2γ + 1}, H = 2H
(3)
¯ is a semigroup of genus γ uniquely determined by H. When γ = 0 then where H H is hyperelliptic, that is 2 ∈ H (which has already been noticed in [2], [3], [5]). Finally in Section 5 we observe that sparse semigroups of genus large enough satisfy the acute property in the sense of BrasAmor´ os [3], and we obtain the order of such semigroups as a function of g and g (Proposition 5).
2
Sparse Semigroups
Let H = {0 = ρ1 < ρ2 < · · ·} be a semigroup of genus g and conductor c. Our starting point is the following result (see [5], Proposition 1). Proposition 1. H is Arf iﬀ for all integers i ≥ j ≥ 1, it holds that 2ρi −ρj ∈ H. Corollary 1. The set of gaps of an Arf semigroup H of genus g satisfy (1). Proof. Let Gaps(H) = {1 , . . . , g }. Suppose there exists i ∈ {2, . . . , g} such that i − i−1 > 2. Then i − 2 and i − 1 are nongaps of H and Proposition 1 implies 2(i − 1) − (i − 2) = i ∈ H, a contradiction. Example 1. Let g ≥ 7. The set H = N0 \ {1, . . . , g − 3, g − 1, g + 1, g + 2} = {0, g − 2, g, g + 3, g + 4, . . .} is a semigroup of genus g satisfying (1). Since 2g − (g − 2) = g + 2 ∈ H it is not Arf. Definition 1. A semigroup H = {0 = ρ1 < ρ2 < . . .} of genus g is called sparse if the set of its gaps, Gaps(H), satisﬁes (1). Equivalently, H is sparse if ρi+1 − ρi ≥ 2 for i = 1, . . . , c − g. Obviously, every Arf semigroup is sparse. Other remarkable examples of sparse semigroups are as follows.
Sparse Numerical Semigroups
25
¯ be an arbitrary semigroup of conductor c¯ and genus γ. Example 2. Let H ¯ ∪{h ∈ N0 : h ≥ R} (a) Given two integers a ≥ 2, R ≥ 0, the semigroup H := aH is sparse. In particular, inductive semigroups are sparse. Note that when a = 2 ¯ is Arf. and R ≥ 2¯ c, then H is Arf iﬀ H ¯ ∪ {h ∈ N : h ≥ (b) Let g be an integer such that g ≥ γ + c¯. Then H = 2H 2g − 2γ + 1} is a sparse semigroup of genus g with g = 2g − (2γ + 1), whose number of even gaps is γ. In Section 4 we will show that every sparse semigroup with g odd and genus large enough with respect to γ arise in this way. For a semigroup H, let m = m(H) = ρ2 − 1. When H = N0 , m is the largest integer such that m = m. Then m(H) = 1 iﬀ H is hyperelliptic. Proposition 2. Let H be a symmetric semigroup of genus g > 0. The following statements are equivalent: 1. H is Arf; 2. H is sparse; 3. m(H) = 1. Proof. The symmetry property implies g−1 = g − ρ2 ; then from inequalities (1) it follows that ρ2 = 2. This shows that (2) implies (3). If 2 ∈ H, assertion (1) follows from Example 2 as H = 2N0 ∪ {n ∈ N : n ≥ 2g}. Proposition 3. Let H be a semigroup with m(H) = 2 and g > 2. The following statements are equivalent: 1. H is Arf; 2. H is sparse; 3. H = 3, (3g + 2)/2 , (3g + 5)/2 . In this case g = (3g − 1)/2 . Proof. If H is sparse, by induction i = (3i − 1)/2 for i = 1, . . . , g. Then H = 3N0 ∪ {n ∈ N : n ≥ (3g + 2)/2 }. The following results show a strong restriction on the arithmetic of sparse semigroups. They generalize the statement (2) implies (3) in Proposition 2. Lemma 1. Let H be a sparse semigroup of genus g with Gaps(H) = {1 , . . . , g }. If g−i = g−i+1 − 1, then 2g−i < 3(g − i). Proof. The set {1, . . . , g−i } contains g − i gaps and t = g−i − (g − i) nongaps. Write {1, . . . , g−i } ∩ H = {ρ2 , . . . , ρt+1 }. All elements in the set {g−i − ρ2 , · · · , g−i − ρt+1 } ∪ {g−i+1 − ρ2 , · · · , g−i+1 − ρt+1 } are distinct gaps. If otherwise g−i −ρr = g−i+1 −ρs = g−i +1−ρs , then ρr +1 = ρs contradicting the fact of H being sparse. Thus 2(g−i −(g −i))+1 ≤ g −i and hence 2g−i ≤ 3(g −i)−1. Let m = m(H) = ρ2 − 1 be as above and let K = K(H) = 2g − g .
26
C. Munuera, F. Torres, and J. Villanueva
Theorem 1. Let H be a sparse semigroup of genus g with Gaps(H) = {1 , . . . , g }. Then 1. i ≥ 2i − K for all i = 1, . . . , g. In particular m ≤ K. 2. If i = 2i − K then j = 2j − K for j = i, . . . , g. 3. If g ≥ 2K − 1 then i = 2i − K for all i = 2K − 2, . . . , g. Proof. (1) By the sparse property, g − i ≤ 2(g − i) so that i ≥ 2i − K. Then 2(j + 1) − K ≤ j+1 ≤ j + 2 and the result follows. (2) is clear. (3) Since g = 2g − K by deﬁnition of K, it is enough to prove that i+1 = i + 2 for i = 2k − 2, . . . , g − 1. We use induction on j = g − i and thus we have to prove the statement g−j = g−j+1 − 2 for j = 1, . . . , g − 2K + 2. If g−1 = g − 2, the sparse property implies g−1 = g − 1. Then, according to Lemma 1, 2(g − 1) = 2g−1 < 3(g − 1) and so g < 2K − 1, a contradiction. Suppose that the assertion is true for all t = 1, . . . , j (1 ≤ j ≤ g − 2K + 1) and let us prove it for j + 1. If g−j−1 = g−j − 1, then from the Lemma it follows that 2(g−j − 1)) = 2g−j−1 < 3(g − i − 1). By induction hypothesis we have g−j = g − 2j, hence j > g − 2K + 1, which is also a contradiction. Example 3. Let H be a semigroup. According to the Theorem, m(H) ≤ K(H). When equality holds, then H is sparse iﬀ i = 2i − K for i = K, . . . , g. Note that in this case H is also Arf. If K = 2k, then H is sparse iﬀ H has exactly (g − k) even gaps. Here observe that 2(2k + 1) ≥ 2g − 2k + 2 so that g ≤ 3k. This example will be generalized in Theorem 2.
3
The Largest Gap: Even Case
As we have seen, the structure of sparse semigroups H = N0 is strongly inﬂuenced by its largest gap g , and in particular by the parity of g . Let us study now the case in which g is even and thus m = m(H) = ρ2 − 1 ≥ 2. Theorem 2. Let H be a sparse semigroup of genus g with g = 2g−K = 2g−2k. If g ≥ 4k − 1, then g ≤ 6k − m(H) − 1. In particular, the family of semigroups Hk = g≥0 Hg,k , where Hg,k is as in (2), is ﬁnite. Proof. From Theorem 1(3), the gaps 6k − 2 = 4k−1 < . . . < 2g − 2k = g , are all of them even numbers. Thus the gaps 3k − 1 = I−(g−4k+1) < · · · < g − k = I are consecutive integers and I ≤ 4k − 1. By the sparse property, 4k−1 − I ≤ 2(4k − 1 − I), hence 2I ≤ g + k (∗). If m ≥ g − k, then g ≤ 3k by Theorem 1(1), so that k = 1 and g = 3. If m < g − k, then m < 3k − 1. By applying the sparse property once again, it follows that 3k − 1 − m ≤ 2(I − g + 4k − 1 − m), i.e., 2g ≤ 2I + 5k − m − 1. Finally (∗) implies g ≤ 6k − m − 1. Example 4. In [2] and [3], Barucci et al. and BrasAmor´os proved that there exist only two Arf semigroups with g = 2g − 2, namely H = {0, 3, 4, . . .} and H = {0, 3, 5, 6, 7, . . .}. By the above Theorem, the following statements are equivalent:
Sparse Numerical Semigroups
27
1. H is Arf with g = 2g − 2; 2. H is sparse with g = 2g − 2; 3. g = 2 and H = {0, 3, 4, . . .}, or g = 3 and H = {0, 3, 5, 6, 7, . . .} = 3N0 ∪{h ∈ N : h ≥ 5}. Example 5. By using the above results we can compute all sparse semigroups with g = 2g − 4. First note that all these semigroups have genus g ≥ 4. Also g ≤ 7. If otherwise g ≥ 4k = 8, Theorem 2 implies g ≤ 11 − m and hence m = 2 or m = 3. In both cases 12 ∈ H. Since 7 = 10, we have 12 ≥ 2g which is a contradiction. Thus 4 ≤ g ≤ 7. Let g > 4. By Theorem 1(1) we have 2 ≤ m ≤ 4. If m = 2 then Proposition 3 allows us to compute H. Let m = 3. We shall show that g = 5 and H = {0, 4, 7, 8, 9, 10, . . .} = 4N0 ∪ {h ∈ N : h ≥ 7}. In fact, here ρ2 = 4, 4 = 5. If 6 ∈ H, then {4, 6, 8, 10, . . .} ⊆ H, which implies 2g − 4 ≤ 2. Thus 5 = 6. If g > 5, 8 ∈ Gaps(H) by the sparse property. Finally the case m = 4 is computed via Example 3. We subsume all these computations as follows. Let H be a semigroup with g = 2g − 4. The following statements are equivalent: 1. H is Arf; 2. H is sparse; 3. g = 4 and Gaps(H) = {1, 2, 3, 4}, or g = 5 and H = 3, 8, 10, or g = 6 and H = 3, 10, 11, or g = 7 and H = 3, 11, 13, or g = 5 and H = 4, 7, 9, 10, or m(H) = 4 and hence H has exactly (g − 2) even gaps for g = 5, 6, 7. Remark 1. We can also study the cardinality of the family (2). Consider the semigroups H of genus g with g (H) = 2g − 2k and m(H) = 2k. We have 2k ≤ g ≤ 3k and we obtain exactly k + 1 of such semigroups (cf. Example 3).
4
The Largest Gap: Odd Case
Let us study now the case g odd. To do that we shall need some results concerning γhyperelliptic semigroups, which are those semigroups having exactly γ even gaps (cf. [13], [14]). Proposition 4. Let H be a semigroup. If there exists an integer γ ≥ 0 such that ρ2γ+2 = 6γ + 2 and g ≥ 6γ + 4, then H can be written in the form ¯ ∪ {uγ , . . . , u1 } ∪ {n ∈ N : n ≥ 2g} , H = 2H ¯ is a semigroup of genus γ and uγ < · · · < u1 ≤ 2g − 1 are precisely the where H γ odd nongaps of H up to 2g. Proof. See [13], Theorem 2.1. ¯ = Observe that H in the above Proposition has exactly γ even nongaps and H {h/2 : h ∈ H, h ≡ 0 (mod 2)}. The main result of this section is the following.
28
C. Munuera, F. Torres, and J. Villanueva
Theorem 3. Let H be a sparse semigroup with g = 2g − (2γ + 1). If g ≥ 6γ + 4 ¯ ∪ {uγ , . . . , u1 } ∪ {n ∈ N : n ≥ 2g}, where H ¯ is a semigroup of then H = 2H genus γ and ui = 2g − 2i + 1 for i = 1, . . . , γ. Proof. By Theorem 1 we have 2K−1 = 3K − 2 and 2K = 3K where K = 2γ + 1. Thus ρK+1 = 3K − 1, hence ρ2γ+2 = 6γ + 2 and the result follows. A semigroup as in the Theorem will be called ordinary γhyperelliptic. Remark 2. The lower bound on the genus in Theorem 3 is necessary as the following example shows. Let γ ≥ 1 be an integer and consider the Arf semigroup H = 3, 6γ + 2, 6γ + 4. H is 2γhyperelliptic of genus g = 4γ + 1 but g = 2g − (2γ + 1) (cf. Proposition 3). Remark 3. There exist γhyperelliptic sparse semigroups of genus g ≥ 2γ + 1. Let H be the semigroup deﬁned in Example 3. Here i = i for i = 1, . . . , K, i = 2i − K for i = K, . . . , g, and K = 2γ + 1. Corollary 2. Let γ ≥ 0 be an integer. Let H be a sparse semigroup of genus ¯ = {h/2 : h ∈ H, h ≡ 0 (mod 2)}. g ≥ 6γ + 4 with g = 2g − (2γ + 1). Let H ¯ Then H is Arf if and only if so is H. ¯ ∪{h ∈ N : h ≥ 2g−2γ +1}. Since R = 2g−2γ +1 ≥ Proof. We can write H = 2H 2¯ c + 1 (note 2γ ≥ c¯), the result follows from Example 2. Example 6. If g ≥ 4 and g = 2g − 1, then γ = 0 and we ﬁnd a new proof of Proposition 2. Remember that there exists just one semigroup of genus 1, namely {0, 2, 3, . . .} and two semigroups of genus 2, {0, 2, 4, 5, . . .} and {0, 3, 4, 5, . . .}. All of them are Arf semigroups. Example 7. Let H be a semigroup of genus g ≥ 10 with g = 2g − 3. The following statements are equivalent: 1. H is Arf; 2. H is sparse; 3. H is ordinary 1hyperelliptic, that is H = 2{0, 2, 3, . . .} ∪ {n ∈ N0 : n ≥ 2g − 1}. Example 8. Let H be a semigroup of genus g ≥ 16 with g = 2g − 5. The following statements are equivalent: 1. H is Arf; 2. H is sparse; ¯ ∪ {2g − 3, 2g − 1}, where H ¯ is 3. H is ordinary 2hyperelliptic, that is H = 2H a semigroup of genus 2. ¯ of genus γ which are not Example 9. For every γ ≥ 3, there exist semigroups H Arf. For example, H := N0 \ {1, 2, . . . , γ − 1, γ + 2}. Thus for every γ ≥ 3 there exist ordinary γhyperelliptic semigroups having largest gap g odd, which are not Arf property (cf. Corollary 2).
Sparse Numerical Semigroups
5
29
On the Order of Semigroups
In this section we are interested in the order bound of sparse semigroups. Let us remember that for a semigroup H = {0 = ρ1 < ρ2 < · · ·}, we can consider the sets A() = A[ρ ] := {(s, t) ∈ N2 : ρs + ρt = ρ } ∈ N, and their cardinals
ν := A( + 1)
(or equivalently, ν = {ρ+1 − ρ1 , . . . , ρ+1 − ρ+1 } ∩ H). For ∈ N0 we deﬁne the th order bound of H as d (H) := min{νm : m ≥ }. The order bound was introduced in the context of the Theory of ErrorCorrecting codes. In fact, d (H) gives a lower bound on the minimum distance of Algebraic Geometry codes related to H (see [6] for details). The order bound is often diﬃcult to compute. For this reason, we deﬁne the order number of H as o(H) := min{ ∈ N : νj ≤ νj+1 for all j ≥ } . It is clear that d (H) = ν for all ≥ o(H). Let us recall the concept of acute and nearacute semigroups (cf. [3], [8]). Write H = {0} ∪ [cm , dm ] ∪ · · · ∪ [c1 , d1 ] ∪ [c0 , ∞) , (4) where ci , di are nonnegative integers such that di+1 + 2 ≤ ci ≤ di for i = 1, . . . , m, d1 + 2 ≤ c, and cm+1 = dm+1 = 0, with c0 equals the conductor c of H. Consider the following conditions: (I) c0 − d1 ≤ c1 − d2 ; (II) c0 − d1 ≤ d1 − d2 ; (III) 2d1 − c0 + 1 ∈ H. We say that H is acute if it satisﬁes (I); H is nearacute if it satisﬁes (II) or (III). Notice that (I) implies (II). Deﬁne the function ι on H by ι(ρi ) = i. In [8, Thm. 3.11] it is shown that o(H) = min{ι(2d1 + 1), ι(c0 + c1 − 1)} provided that H is nearacute (*). See also [10,11] for more information. Proposition 5. Let H be a sparse semigroup of genus g with g = 2g − K. If 2g ≥ 3g then H is acute and o(H) = 2g − g = 3g − 2K. Proof. Notation as in equation (4). From Theorem 1, c0 = g +1, c1 = d1 = g −1 and c2 = d2 = g − 3. We have 2d1 + 1 = c0 + c1 − 1 = 2g − 1 and thus H is acute. Now 2g − 1 = ρ2g −g and the proof follows from the above formula (∗) for o(H). Example 10. For g ≥ 7, let H = {0, g − 2, g, g + 3, g + 4 . . .} be the sparse semigroup of Example 1 (thus g = g + 2 = 2g − (g − 2)). It is easy to check that H is not nearacute. We claim that o(H) = g − 1 (in particular, o(H) is not given by the formula (∗) above).
30
C. Munuera, F. Torres, and J. Villanueva
Since r = 2c0 − g − 1 = g + 5, from [8, Thm. 2.6], the sequence (ν )≥g+5 is strictly increasing. Thus we have to consider the numbers ν for ≤ g + 5. Here ρ1 = 0, ρ2 = g − 2, ρ3 = g and ρ = g + − 1 for ≥ 4. Let k ∈ {1, . . . , 6} and i ∈ [k + 3, g + k − 1]. We have ρg+k − ρi = g + k − i ∈ [1, g − 3] and so νg+k−1 = {ρg+k − ρ2 , . . . , ρg+k − ρk+2 } ∩ H + 2 . If k = 1 then νg = {g + 2, g} ∩ H + 2 = 3, otherwise ρg+k − ρk+2 = g − 2 ,
if k ≥ 2
ρg+k − ρk+1 = g − 1 ∈ / H, ρg+k − ρk = g ,
if k ≥ 3 if k ≥ 4 .
In addition, if k ≥ 2 we obtain ρg+k − ρ2 = g + k + 1 ∈ H and thus νg+k−1 = {ρg+k − ρ3 , . . . , ρg+k − ρk+2 } ∩ H + 3 . Therefore νg+1 = {g + 1, g − 2} ∩ H + 3 = 4 , νg+2 = {g + 2, g − 1, g − 2} ∩ H + 3 = 4 , νg+3 = {g + 3, g, g − 1, g − 2} ∩ H + 3 = 6 , νg+4 = {g + 4, g + 1, g, g − 1, g − 2} ∩ H + 3 = 6 , νg+5 = {g + 5, g + 2, g + 1, g, g − 1, g − 2} ∩ H + 3 = 6 . Now, let s ∈ {0, 1} and j ∈ [4, g + s − 1] then ρg−s − ρj = g − s − j ∈ [1, g − 4] and so νg−s−1 = {ρg−s − ρ2 , ρg−s − ρ3 } ∩ H + 2 . Then νg−1 = {g + 1, g − 1} ∩ H + 2 = 2 , νg−2 = {g, g − 2} ∩ H + 2 = 4 . Thus o(H) = g − 1. Acknowledgment. The authors wish to thank the reviewers for their detailed comments and suggestions.
References 1. Arf, C.: Une interpretation alg´ebrique de la suite des ordres de multiplicit´e d´ une branche alg´ebrique. Proc. London Math. Soc. 50, 256–287 (1949) 2. Barucci, V., Dobbs, D.E., Fontana, M.: Maximality properties in numerical semigroups and applications to onedimensional analytically irreducible local domains. Mem. Amer. Math. Soc. 125 (1997)
Sparse Numerical Semigroups
31
3. BrasAmor´ os, M.: Acute semigroups, the order bound on the minimum distance, and the FengRao improvement. IEEE Trans. Inform. Theory 50(6), 1282–1289 (2004) 4. BrasAmor´ os, M., Garc´ıa, P.A.: Patterns on numerical semigroups. Linear Algebra and its Applications 414, 652–669 (2006) 5. Campillo, A., Farr´ an, J.I., Munuera, C.: On the parameters of algebraicgeometry codes related to Arf semigroups. IEEE Trans. Inform. Theory 46(7), 2634–2638 (2000) 6. Høholdt, T., van Lint, J.H., Pellikaan, R.: Algebraic Geometry codes. In: Pless, V., Huﬀman, C. (eds.) Handbook of Coding Theory, pp. 871–961. Elsevier, Amsterdam (1998) 7. Lipman, J.: Stable ideal and Arf semigroups. Amer. J. Math. 97, 791–813 (1975) 8. Munuera, C., Torres, F.: A note on the order bound on the minimum distance of AG codes and acute semigroups. Advances in Mathematics of Communications 2(2), 175–181 (2008) 9. Oliveira, G.: Weierstrass semigroups and the canonical ideal of nontrigonal curves. Manuscripta Math. 71, 431–450 (1991) 10. Oneto, A., Tamone, G.: On numerical Semigroups and the Order Bound. J. Pure Appl. Algebra 212, 2271–2283 (2008) 11. Oneto, A., Tamone, G.: On the order bound of onepoint algebraic geometry codes. J. Pure Appl. Algebra (to appear) 12. Rosales, J.C., Garc´ıaS´ anchez, P.A., Garc´ıaGarc´ıa, J.I., Branco, M.B.: Arf Numerical Semigroups. Journal of Algebra 276, 3–12 (2004) 13. Torres, F.: On γhyperelliptic numerical semigroups. Semigroup Forum 55, 364–379 (1997) 14. Torres, F.: Weierstrass points and double coverings of curves with applications: Symmetric numerical semigroups which cannot be realized as Weierstrass semigroups. Manuscripta Math. 83, 39–58 (1994)
From the Euclidean Algorithm for Solving a Key Equation for Dual Reed–Solomon Codes to the Berlekamp–Massey Algorithm Maria BrasAmor´ os1, and Michael E. O’Sullivan2 1
Departament d’Enginyeria Inform` atica i Matem` atiques Universitat Rovira i Virgili
[email protected] 2 Department of Mathematics and Statistics San Diego State University
[email protected]
Abstract. The two primary decoding algorithms for ReedSolomon codes are the BerlekampMassey algorithm and the Sugiyama et al. adaptation of the Euclidean algorithm, both designed to solve a key equation. This article presents a new version of the key equation and a way to use the Euclidean algorithm to solve it. A straightforward reorganization of the algorithm yields the BerlekampMassey algorithm.
1
Introduction
For correcting primal ReedSolomon codes a useful tool are the socalled locator and evaluator polynomials. Once we know them, the error positions are determined by the inverses of the roots of the locator polynomial and the error values can be computed by a formula due to Forney [4] which uses the evaluator and the derivative of the locator evaluated at the inverses of the error positions. Berlekamp presented in [1] a key equation determining the decoding polynomials for primal ReedSolomon codes. Sugiyama et al. introduced in [9] their celebrated algoithm for solving this key equation based on the Euclidean algorithm for computing the greatest common divisor of two polynomials and the coeﬃcients of the B´ezout’s identity. Another celebrated algorithm for solving the key equation is the algorithm by Berlekamp and Massey [1, 6] which is widely accepted to have better performance than the Sugiyama et al. algorithm, although its formulation is more diﬃcult to understand. The connections between both algorithms were analyzed in [3, 5]. In this work we take the perspective of dual Reed Solomon codes. In Section 3 we present a key equation for dual ReedSolomon codes and in Section 4 we
An extended version is in preparation for being submitted for publication. This work was partly supported by the Catalan Government through a grant 2005 SGR 00446 and by the Spanish Ministry of Education through projects TSI200765406C0301 EAEGIS and CONSOLIDER CSD200700004 ARES.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 32–42, 2009. c SpringerVerlag Berlin Heidelberg 2009
From the Euclidean Algorithm for Solving a Key Equation
33
introduce an Euclideanbased algorithm for solving it, following Sugiyama et al.’s idea. While the key equation for primal ReedSolomon codes states that a linear combination of the decoding polynomials is a multiple of a certain power of x, in the key equation presented here the linear combination has bounded degree. Then, while in Sugiyama et al.’s algorithm the locator and evaluator polynomials play the role of one of the B´ezout’s coeﬃcients and the residue respectively, in the Euclidean algorithm presented here the locator and evaluator polynomials play the role of the two coeﬃcients of the B´ezout’s identity. The decoding polynomials are now slightly diﬀerent and in a sense more natural, since the error positions are given by the roots themselves of the locator polynomial rather than their inverses and that the error values are obtained by evaluating the evaluator polynomial and the derivative of the locator polynomial at the error positions rather than evaluating them at the inverses of the error positions. In addition the equivalent of the Forney formula does not have the minus sign. In Section 5 we prove that the new Euclideanbased algorithm is exactly the BerlekampMassey algorithm. The connections between the Euclidean and the BerlekampMassey algorithms seem to be much more transparent for the dual ReedSolomon codes than for the primal codes [3, 5]. In Section 6 we move back to primal Reed Solomon codes and see how all the developments of the previous sections can be applied to primal codes with minor modiﬁcations.
2
Settings and Notations
In this section we establish the notions and notations that we will use in the present work. A general reference is [8]. Let F be a ﬁnite ﬁeld of size q = pm and let α be a primitive element in F. Let n = q − 1. We identify the vector u = (u0 , . . . , un−1 ) with the polynomial u(x) = u0 + · · · + un−1 xn−1 and denote u(a) the evaluation of u(x) at a. Classically the (primal) ReedSolomon code C ∗ (k) of dimension k is the cyclic code generated by the polynomial (x−α)(x−α2 ) · · · (x−αn−k ), and has generator matrix G∗ (k) = (αij )ij , for i = 0, . . . , k − 1, and j = 0, . . . , n − 1, while the dual ReedSolomon code C(k) of dimension k is generated by the polynomial (x − α−(k+1) ) · · · (x − α−(n−1) )(x − 1) and has generator matrix G∗ (k) = (α(i+1)j )ij , for i = 0, . . . , k − 1, and j = 0, . . . , n − 1. Both codes have minimum distance d = n − k + 1. Furthermore, C(k)⊥ = ∗ C (n − k). There is a natural bijection from Fn to itself, c → c∗ , that takes C(k) to C ∗ (k). Indeed, let i be a vector of dimension k and let c = (c0 , c1 , . . . , cn−1 ) = iG(k) ∈ C(k), c∗ = (c∗0 , c∗1 , . . . , c∗n−1 ) = iG∗ (k) ∈ C ∗ (k). Then, c = (c∗0 , αc∗1 , α2 c∗2 , . . . , αn−1 c∗n−1 ).
(1)
In particular, c(αi ) = c∗0 + αc∗1 αi + α2 c∗2 α2i + · · · + αn−1 c∗n−1 α(n−1)i = c∗ (αi+1 ).
34
3 3.1
M. BrasAmor´ os and M.E. O’Sullivan
Key Equations for Primal and Dual ReedSolomon Codes Polynomials for Correction of RS Codes
Suppose that a word c∗ ∈ C ∗ (k) is transmitted and that an error e∗ occurred ∗ ∗ ∗ with t ≤ d−1 2 nonzero positions, so that u = c + e is received. Deﬁne the ∗ error locator polynomial Λ and the error evaluator polynomial Ω ∗ as Λ∗ = (1 − αi x), Ω∗ = e∗i αi (1 − αi x), i:e∗ i =0
i:e∗ i =0
j:e∗ j =0,j=i
and the syndrome polynomial S ∗ = e∗ (α) + e∗ (α2 )x + e∗ (α3 )x2 + · · · + e∗ (αn )xn−1 . Notice that from the received word we only know e∗ (α) = u∗ (α), . . . , e∗ (αn−k ) = u∗ (αn−k ). This is why we use the truncated syndrome polynomial S¯∗ = e∗ (α) + e∗ (α2 )x + · · · + e∗ (αn−k )xn−k−1 . If Λ∗ and Ω ∗ are known, the error positions can be identiﬁed as the indices i such that Λ∗ (α−i ) = 0 and the error values can be computed by the Forney formula [4] e∗i = −
3.2
Ω ∗ (α−i ) . Λ∗ (α−i )
Polynomials for Correction of Dual RS Codes
Suppose that a word c ∈ C(k) is transmitted and that an error e occurred with t ≤ d−1 2 nonzero positions, so that u = c + e is received. In this case deﬁne the error locator polynomial Λ and the error evaluator polynomial Ω as (x − αi ), Ω= ei (x − αi ), (2) Λ= i:ei =0
i:ei =0
j:ej =0,j=i
and the syndrome polynomial S = e(αn−1 ) + e(αn−2 )x + · · · + e(α)xn−2 + e(1)xn−1 .
(3)
Notice that now, from the received word we only know e(1) = u(1), . . . , e(αn−k−1 ) = u(αn−k−1 ). This is why we use the truncated syndrome polynomial S¯ = e(αn−k−1 )xk + e(αn−k−2 )xk+1 + · · · + e(1)xn−1 .
(4)
From the Euclidean Algorithm for Solving a Key Equation
35
In this case, if Λ and Ω are known, the error positions can be identiﬁed as the indices i such that Λ(αi ) = 0 (5) and the error values can be computed by the formula ei =
Ω(αi ) . Λ (αi )
(6)
It is easy to check that when the error vectors e and e∗ satisfy the relationship (1), then the polynomials Λ, Ω, S, S associated to the error e are related to the polynomials Λ∗ , Ω ∗ , S ∗ , S¯∗ associated to the error e∗ as follows: Λ = xt Λ∗ (1/x), Ω = xt−1 Ω ∗ (1/x), S = xn−1 S ∗ (1/x), S¯ = xn−1 S¯∗ (1/x). 3.3
Key Equations
A straightforward computation shows that ΛS = (xn − 1)Ω
(7)
or, equivalently, Λ∗ S ∗ = (1 − xn )Ω ∗ . See [7] for a proof. In particular, the polynomial Λ∗ S¯∗ + (xn − 1)Ω ∗ = Λ∗ (S¯∗ − S ∗ ) has only terms of order n − k or larger and this implies Λ∗ S¯∗ = Ω ∗ mod xn−k This is the key equation introduced by Berlekamp [1]. Massey [6] gave an algorithm for solving linear feedback shift registers and its application to decoding BCH and thus RS codes. Sugiyama et al. [9] recognized that the Euclidean algorithm for ﬁnding the greatest common divisor of two polynomials and for solving B´ezout’s identity, could also be adapted to solve this kind of equation for Λ∗ and Ω ∗ , starting with r−2 = xn−k and r−1 = S¯∗ . Their method is often referred to as the Euclidean decoding algorithm for Reed Solomon codes. On the other hand, the polynomial ΛS¯ − (xn − 1)Ω = Λ(S¯ − S) has degree d−1 d+1 at most d−1 2 + k − 1 = 2 + n − d = n − 2 . That is deg(ΛS¯ − (xn − 1)Ω) ≤ n − d+1 2 The aim of the present work is to deal with this alternative key equation on Λ and Ω and solving it by the Euclidean algorithm starting with r−2 = xn − 1 and ¯ r−1 = S.
4
Euclidean Algorithm for Dual ReedSolomon Codes
The next theorem characterizes the decoding polynomials by means of the alternative key equation, the polynomial degrees, and their coprimality. It is the analogue of [2, Theorem 4.8] for the standard key equation, and the proof is similar.
36
M. BrasAmor´ os and M.E. O’Sullivan
Theorem 1. Suppose that at most d−1 2 errors occurred. Then Λ and Ω are the unique polynomials f , ϕ satisfying the following properties. 1. deg(f S¯ − (xn − 1)ϕ) ≤ n − d+1 2
2. deg(ϕ) < deg(f ) ≤ d−1 2 3. f, ϕ are coprime. 4. f is monic
Consider the following algorithm: Initialize: r−2 = xn − 1, f−2 = 0, ϕ−2 = −1, ¯ f−1 = 1, ϕ−1 = 0, r−1 = S, i = −1. while deg(ri ) > n − d+1 : 2 qi = Quotient(ri−2 , ri−1 ) ri = Remainder(ri−2 , ri−1 ) ϕi = ϕi−2 − qi ϕi−1 fi = fi−2 − qi fi−1 end while Return fi /LeadingCoeﬃcient(fi ), ϕi /LeadingCoeﬃcient(fi )
The polynomial ϕ has been initialized to negative 1 because we want that fi , ϕi satisfy at each step fi S¯ − ϕi (xn − 1) = ri . The next theorem veriﬁes the algorithm. Its proof has also been ommitted and will appear in the ﬁnal form of this article. Theorem 2. If t ≤
5
d−1 2
then the algorithm outputs Λ and Ω.
From the Euclidean to the BerlekampMassey Algorithm
In this section we will perform a series of minor modiﬁcations to the previous algorithm that will lead to the BerlekampMassey algorithm. This will show that they are essentially the same. First of all, notice that the updating step in the previous algorithm can be expressed in matrix form as ri−1 fi−1 ϕi−1 −qi 1 ri fi ϕi = . 1 0 ri−1 fi−1 ϕi−1 ri−2 fi−2 ϕi−2 (0)
Furthermore, if qi = qi
−qi 1 1 0
=
(0)
1 −qi 01
(1)
(l)
+ qi x + · · · + qi xl then
(1)
1 −qi x 01
(2)
1 −qi x2 01
...
(l)
1 −qi xl 01
01 10
.
If we split all matrix multiplications we will need to add intermediate variables. Thus, it does not make sense anymore to consider matrices
From the Euclidean Algorithm for Solving a Key Equation
ri fi ϕi ri−1 fi−1 ϕi−1
37
.
˜ i , F˜i , Ψ˜i and matrices We will use auxiliary polynomials Ri , Fi , Ψi , R Ri Fi Ψi . R˜i F˜i Ψ˜i These matrices will satisfy at given stages of the algorithm (exactly when deg(Ri ) ˜ i )) that Ri , Fi , Ψi are the remainder and the intermediate B´ezout coeﬃ< deg(R ˜ i , F˜i , Ψ˜i cients in one of the steps of the original Euclidean algorithm and that R are respectively the remainder and the intermediate B´ezout coeﬃcients previous to Ri , Fi , Ψi . The previous algorithm can be expressed now: Initialize: R−1 F−1 Ψ−1 S¯ 10 ˜ −1 F˜−1 Ψ˜−1 = xn − 1 0 −1 R : while deg(Ri ) > n − d+1 2 Ri+1 Fi+1 Ψi+1 Ri Fi Ψi 01 = ˜ i+1 F˜i+1 Ψ˜i+1 ˜ i F˜i Ψ˜i 10 R R (quotient=0) ˜i) : while deg(Ri ) ≥ deg(R ˜i) μ = LeadingTerm(Ri )/LeadingTerm(R (quotient=quotient+μ) Ri+1 Fi+1 Ψi+1 Ri Fi Ψi 1 −μ = ˜ i+1 F˜i+1 Ψ˜i+1 ˜ i F˜i Ψ˜i 01 R R end while end while Return Fi /LeadingCoeﬃcient(Fi ), Ψi /LeadingCoeﬃcient(Fi )
5.1
Making Remainders Monic
˜ i monic in all steps. This makes it easier to A useful modiﬁcation is to keep R ˜i ). compute the μ’s. It is enough to force this every time we get deg(Ri ) < deg(R ˜ i ), then R ˜ i stays the same and so it remains monic. To When deg(Ri ) ≥ deg(R ˜ i by its leading coeﬃcient μ ˜, and also F˜i and Ψ˜i in order this end we divide R to keep the properties. Analogously, we multiply Ri , Fi and Ψi by −˜ μ in order to make the Fi ’s monic. Another modiﬁcation is the use of an integer p keeping track ˜ i and that we take leading coeﬃcients of the degree diﬀerence between Ri and R of Ri instead of leading terms. With these modiﬁcations, the algorithm is now:
38
M. BrasAmor´ os and M.E. O’Sullivan Initialize: R−1 R−1 Ψ−1 S¯ 10 = n ˜ −1 F˜−1 Ψ˜−1 x − 1 0 −1 R : while deg(Ri ) > n − d+1 2 μ = LeadingCoeﬃcient(Ri ) ˜i) p = deg(Ri ) − deg(R if p < 0 then Ri+1 Fi+1 ˜ i+1 F˜i+1 R else Ri+1 Fi+1 ˜ i+1 F˜i+1 R end if end while
Ψi+1 Ψ˜i+1 Ψi+1 Ψ˜i+1
=
=
0 −μ 1/μ 0 1 −μxp 01
Ri Ri Ψi ˜ i F˜i Ψ˜i R Ri Fi Ψi ˜ i F˜i Ψ˜i R
Return Fi , Ψi
5.2
Joining Steps
It is easy to check that after each step corresponding to p < 0 the new p is exactly the previous one with opposite sign and so is μ. With this observation we can join each step corresponding to p < 0 with the following one: Initialize: R−1 F−1 Ψ−1 S¯ 10 = n ˜ −1 F˜−1 Ψ˜−1 x − 1 0 −1 R : while deg(Ri ) > n − d+1 2 μ = LeadingCoeﬃcient(Ri ) ˜i) p = deg(Ri ) − deg(R if p < 0 then −p Ri Fi Ψi Ri+1 Fi+1 Ψi+1 x −μ = ˜ i+1 F˜i+1 Ψ˜i+1 ˜ i F˜i Ψ˜i 1/μ 0 R R else Ri+1 Fi+1 Ψi+1 Ri Fi Ψi 1 −μxp = ˜ i+1 F˜i+1 Ψ˜i+1 ˜ i F˜i Ψ˜i 01 R R end if end while Return Fi , Ψi
5.3
Skipping Remainders
˜ i ) is that we need Finally, the only reason to keep the polynomials Ri (and R to compute their leading coeﬃcients (the μ’s). We now show that these leading coeﬃcients may be obtained without reference to the polynomials Ri . This allows to compute the Fi , Ψi iteratively and dispense with the polynomials Ri .
From the Euclidean Algorithm for Solving a Key Equation
39
On one hand, the remainder Ri = Fi S¯ − Ψi (xn − 1) = Fi S¯ − xn Ψi + Ψi has degree at most n − 1 for all i ≥ −1. This means that all terms of xn Ψi cancel with terms of Fi S¯ and that the leading term of Ri must be either a term of Fi S¯ or a term of Ψi or a sum of a term of Fi S¯ and a term of Ψi . On the other hand, the algorithm only computes LeadingCoeﬃcient(Ri ) while deg(Ri ) ≥ n − d−1 2 . We want to see that in this case the leading term of Ri has degree strictly larger than that of Ψi . Indeed, one can check that for i ≥ −1, deg(Ψi ) < deg(Fi ) and that all Fi ’s in the algorithm have degree at most d−1 2 . d−1 d−1 So deg(Ψi ) < deg(Fi ) ≤ d−1 ≤ d − ≤ n − ≤ deg(R ). i 2 2 2 The previous algorithm can be transformed in a way such that the remainders are not kept but their degrees: Initialize: ¯ −2 = n d −1 = deg(S) d 10 f−1 ϕ−1 = F−1 Ψ−1 0 −1 while di > n − d+1 : 2 ¯ di ) μ = Coeﬃcient(fi S, p = di − di−1 if μ = 0 then di = di − 1 elseif p < 0 then −p fi+1 ϕi+1 x −μ fi ϕi = Fi+1 Ψi+1 Fi Ψi 1/μ 0 di = di−2 − 1 else
fi+1 ϕi+1 Fi+1 Ψi+1 di = di − 1 end if
=
1 −μxp 01
fi ϕi Fi Ψi
end while Return fi , ϕi
This last algorithm is the BerlekampMassey algorithm that solves the linear recurrence tj=0 Λj e(αi+j−1 ) = 0 for all i > 0. This recurrence is derived from Λ xnS−1 being a polynomial (see (7)) and thus having no terms of negative order in its expression as a Laurent series in 1/x, and from the equality 1 S e(α) e(α2 ) = + + ··· . e(1) + xn − 1 x x x2 A proof of this last equality can be found in [7].
6
Moving Back to Primal ReedSolomon Codes
It is well known that the words of a dual ReedSolomon code are in bijection with those of the primal ReedSolomon code of the same dimension. The
40
M. BrasAmor´ os and M.E. O’Sullivan
natural bijection was previously mentioned in (1). Suppose that a code word c∗ from the primal ReedSolomon code C ∗ (k) is transmitted, and that an error e∗ is added to it giving the received word u∗ = c∗ + e∗ . Notice that if c = (c∗0 , αc∗1 , α2 c∗2 , . . . , αn−1 c∗n−1 ) and e = (e∗0 , αe∗1 , α2 e∗2 , . . . , αn−1 e∗n−1 ), then c ∈ C(k) and u := c + e = (u∗0 , αu∗1 , α2 u∗2 , . . . , αn−1 u∗n−1 ). So, e has the same nonzero positions as e∗ , and the error values e∗i added to u∗i can be computed from the error values ei added to ui by e∗i = ei /αi . Table 1. Steps of the classical Euclidean algorithm q(x) = 0 r(x) = x9 f (x) = 2 ϕ(x) = 0 q(x) = 0 r(x) = α14 x8 + αx7 + α10 x6 + α10 x5 + α17 x4 + α5 x3 + x2 + α11 x + 2 f (x) = 0 ϕ(x) = 1 q(x) = α12 x + α12 r(x) = α3 x7 + α22 x6 + 2x5 + α6 x4 + α16 x3 + α9 x2 + α5 x + α12 f (x) = 2 ϕ(x) = α25 x + α25 q(x) = α11 x + α21 r(x) = α3 x6 + x5 + α23 x4 + α19 x3 + α23 x2 + α24 x + α17 f (x) = α11 x + α21 ϕ(x) = α23 x2 + α3 x + α4 q(x) = x + 2 r(x) = α10 x5 + α11 x4 + α14 x3 + αx2 + α23 x + α3 f (x) = α24 x2 + α9 x + α2 ϕ(x) = α10 x3 + α20 x2 + α4 x + α16 q(x) = α19 x + α10 r(x) = α4 x3 + α4 x2 + α10 x + α20 f (x) = α4 x3 + x2 + α7 x + 2 ϕ(x) = α16 x4 + α4 x3 + α17 x2 + α9 x + α7
Now we can perform the previous versions of the algorithm using S¯ = e(αn−k−1 )xk + e(αn−k−2 )xk+1 + · · · + e(1)xn−1 = e∗ (αn−k )xk + e∗ (αn−k−1 )xk+1 + · · · + e∗ (α)xn−1 , which is known because it is equal to u∗ (αn−k )xk + u∗ (αn−k−1 )xk+1 + · · · + u∗ (α)xn−1 . Then, once we have the error positions, we can compute the error values as e∗i =
Ω(αi ) . αi Λ (αi )
As an example, consider F27 = F2 [x]/(x3 + 2x + 1) and suppose that α is the class of x. Suppose d = 10 and e∗ = α4 x + α2 x2 + α6 x8 + α3 x24 . For the classical Euclidean algorithm, we need the polynomial
From the Euclidean Algorithm for Solving a Key Equation
41
Table 2. Steps of the new Euclidean algorithm q(x) = 0 r(x) = x26 + 2 f (x) = 0 ϕ(x) = 2 q(x) = 0 r(x) = 2x25 + α11 x24 + x23 + α5 x22 + α17 x21 + α10 x20 + α10 x19 + αx18 + α14 x17 f (x) = 1 ϕ(x) = 0 q(x) = 2x + α24 r(x) = α14 x24 + α16 x23 + α25 x22 + α17 x21 + α20 x20 + α6 x19 + α7 x18 + α25 x17 + 2 f (x) = x + α11 ϕ(x) = 2 q(x) = α25 x + α17 r(x) = α16 x23 + α15 x22 + α7 x21 + α7 x20 + α11 x19 + α25 x18 + 2x17 + α25 x + α17 f (x) = α12 x2 + αx + α25 ϕ(x) = α25 x + α17 q(x) = α24 x + α6 r(x) = α24 x22 + 2x21 + α25 x20 + α9 x19 + α21 x18 + α3 x17 + α10 x2 + α24 x + α11 f (x) = α23 x3 + α9 x2 + α22 x + α15 ϕ(x) = α10 x2 + α24 x + α11 q(x) = α18 x + α18 r(x) = α8 x20 + α2 x19 + α21 x18 + α25 x17 + α15 x3 + α5 x2 + α25 x + α25 f (x) = α2 x4 + α4 x3 + α12 x2 + α25 x + α11 ϕ(x) = α15 x3 + α5 x2 + α25 x + α25
S¯∗ = e∗ (α)+e∗ (α2 )x+· · ·+e∗ (αn−k )xn−k−1 = α14 x8 +αx7 +α10 x6 +α10 x5 + a x + α5 x3 + x2 + α11 x + 2. For the new Euclidean algorithm we will use S¯ = e∗ (αn−k )xk +e∗ (αn−k−1 )xk+1 + · · · + e∗ (α)xn−1 = 2x25 + α11 x24 + x23 + α5 x22 + α17 x21 + α10 x20 + α10 x19 + αx18 + α14 x1 7. The steps of both algorithms are written in Table 1 and Table 2. 17 4
References 1. Berlekamp, E.R.: Algebraic coding theory. McGrawHill Book Co., New York (1968) 2. Cox, D.A., Little, J., O’Shea, D. (eds.): Using algebraic geometry, 2nd edn. Graduate Texts in Mathematics, vol. 185. Springer, New York (2005) 3. Dornstetter, J.L.: On the equivalence between Berlekamp’s and Euclid’s algorithms. IEEE Trans. Inform. Theory 33(3), 428–431 (1987) 4. David Forney Jr., G.: On decoding BCH codes. IEEE Trans. Information Theory IT11, 549–557 (1965) 5. Heydtmann, A.E., Jensen, J.M.: On the equivalence of the BerlekampMassey and the Euclidean algorithms for decoding. IEEE Trans. Inform. Theory 46(7), 2614– 2624 (2000) 6. Massey, J.L.: Shiftregister synthesis and BCH decoding. IEEE Trans. Information Theory IT15, 122–127 (1969)
42
M. BrasAmor´ os and M.E. O’Sullivan
7. O’Sullivan, M.E., BrasAmor´ os, M.: The Key Equation for OnePoint Codes, ch. 3, pp. 99–152 (2008) 8. Roth, R.: Introduction to coding theory. Cambridge University Press, Cambridge (2006) 9. Sugiyama, Y., Kasahara, M., Hirasawa, S., Namekawa, T.: A method for solving key equation for decoding Goppa codes. Information and Control 27, 87–99 (1975)
Rank for Some Families of Quaternary ReedMuller Codes Jaume Pernas, Jaume Pujol, and Merc`e Villanueva Dept. of Information and Communications Engineering, Universitat Aut` onoma de Barcelona, Spain {jaume.pernas,jaume.pujol,merce.villanueva}@autonoma.edu
Abstract. Recently, new families of quaternary linear ReedMuller codes such that, after the Gray map, the corresponding Z4 linear codes have the same parameters and properties as the codes in the usual binary linear ReedMuller family have been introduced. A structural invariant, the rank, for binary codes is used to classify some of these Z4 linear codes. The rank is established generalizing the known results about the rank for Z4 linear Hadamard and Z4 linear extended 1perfect codes. Keywords: Rank, quaternary codes, ReedMuller codes, Z4 linear codes.
1
Introduction
Let Z2 and Z4 be the ring of integers modulo 2 and modulo 4, respectively. Let Zn2 be the set of all binary vectors of length n and let Zn4 be the set of all quaternary vectors of length n. Any nonempty subset C of Zn2 is a binary code and a subgroup of Zn2 is called a binary linear code or a Z2 linear code. Equivalently, any nonempty subset C of Zn4 is a quaternary code and a subgroup of Zn4 is called a quaternary linear code. Some authors also use the term “quaternary codes” to refer to additive codes over GF (4) [1], but note that these are not the codes we are considering in this paper. The Hamming distance dH (u, v) between two vectors u, v ∈ Zn2 is the number of coordinates in which u and v diﬀer. The Hamming weight of a vector u ∈ Zn2 , denoted by wH (u), is the number of nonzero coordinates of u. The minimum Hamming distance of a binary code C is the minimum value of dH (u, v) for u, v ∈ C satisfying u = v. The Gray map, φ : Zn4 −→ Z2n 2 given by φ(v1 , . . . , vn ) = (ϕ(v1 ), . . . , ϕ(vn )) where ϕ(0) = (0, 0), ϕ(1) = (0, 1), ϕ(2) = (1, 1), ϕ(3) = (1, 0), is an isometry which transforms Lee distances over Zn4 into Hamming distances over Z2n 2 . Let C be a quaternary linear code. Since C is a subgroup of Zn4 , it is isomorphic to an abelian structure Zγ2 × Zδ4 . Therefore, C is of type 2γ 4δ as a group, it has C = 2γ+2δ codewords and 2γ+δ codewords of order two. The binary image
This work was supported in part by the Spanish MEC and the European FEDER under Grant MTM200603250.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 43–52, 2009. c SpringerVerlag Berlin Heidelberg 2009
44
J. Pernas, J. Pujol, and M. Villanueva
C = φ(C) of any quaternary linear code C of length n and type 2γ 4δ is called a Z4 linear code of binary length N = 2n and type 2γ 4δ . Two binary codes C1 and C2 of length n are said to be isomorphic if there is a coordinate permutation π such that C2 = {π(c) : c ∈ C1 }. They are said to be equivalent if there is a vector a ∈ Zn2 and a coordinate permutation π such that C2 = {a + π(c) : c ∈ C1 } [11]. Two quaternary linear codes C1 and C2 both of length n and type 2γ 4δ are said to be monomially equivalent, if one can be obtained from the other by permuting the coordinates and (if necessary) changing the signs of certain coordinates. They are said to be permutation equivalent if they diﬀer only by a permutation of coordinates [9]. Note that if two quaternary linear codes C1 and C2 are monomially equivalent, then the corresponding Z4 linear codes C1 = φ(C1 ) and C2 = φ(C2 ) are isomorphic. Two structural invariants for binary codes are the rank and dimension of the kernel. The rank of a binary code C, denoted by rC , is simply the dimension of C, which is the linear span of the codewords of C. The kernel of a binary code C, denoted by K(C), is the set of vectors that leave C invariant under translation, i.e. K(C) = {x ∈ Zn2 : C + x = C}. If C contains the allzero vector, then K(C) is a binary linear subcode of C. The dimension of the kernel of C will be denoted by kC . These two invariants do not give a full classiﬁcation of binary codes, since two nonisomorphic binary codes could have the same rank and dimension of the kernel. In spite of that, they can help in classiﬁcation, since if two binary codes have diﬀerent ranks or dimensions of the kernel, they are nonisomorphic. It is wellknown that an easy way to built the binary linear ReedMuller family of codes, denoted by RM , is using the Plotkin construction [11]. In [14],[15], Pujol et al. introduced new quaternary Plotkin constructions to build new families of quaternary linear ReedMuller codes, denoted by RMs . The quaternary linear ReedMuller codes RMs (r, m) of length 2m−1 , for m ≥ 1, 0 ≤ r ≤ m and 0 ≤ s ≤ m−1 2 , in these new families satisfy that the corresponding Z4 linear codes have the same parameters and properties (length, dimension, minimum distance, inclusion and duality relationship) as the binary linear codes in the wellknown RM family. In the binary case, there is only one family. In contrast, in the quaternary case, for each m there are m+1 2 families, which will be distinguished using subindexes s from the set {0, . . . , m−1 2 }. The dimension of the kernel and rank have been studied for some families of Z4 linear codes [2], [4], [5], [10], [12]. In the RM family, the RM (1, m) and RM (m − 2, m) binary codes are a linear Hadamard and extended 1perfect code, respectively. Recall that a Hadamard code of length n = 2m is a binary code with 2n codewords and minimum Hamming distance n/2, and an extended 1perfect code of length n = 2m is a binary code with 2n−m codewords and minimum Hamming distance 4. Equivalently, in the RMs families, the corresponding Z4 linear code of any RMs (1, m) and RMs (m − 2, m) is a Hadamard and extended 1perfect code, respectively [14],[15]. For the corresponding Z4 linear codes of RMs (1, m) and RMs (m − 2, m), the rank were studied and computed in [5],[10].
Rank for Some Families of Quaternary ReedMuller Codes
Speciﬁcally,
45
γ + 2δ if s = 0, 1 and (1) γ + 2δ + δ−1 if s ≥ 2 2 rP = γ¯ + 2δ¯ + δ = 2m−1 + δ¯ (except rP = 11, if m = 4 and s = 0), where ¯ H = φ(RMs (1, m)) of type 2γ 4δ and P = φ(RMs (m − 2, m)) of type 2γ¯ 4δ . The dimension of the kernel was computed for all RMs (r, m) codes in [13]. The aim of this paper is the study of the rank for these codes, generalizing the known results about the rank for the RMs (r, m) codes with r ∈ {0, 1, m − 2, m − 1, m} [5],[10]. The paper is organized as follows. In Section 2, we recall some properties related to quaternary linear codes and the rank of these codes. Moreover, we describe the construction of the RMs families of codes. In Section 3, we establish the rank for all codes in the RMs families with s ∈ {0, 1}. Furthermore, we establish the rank for the RMs (r, m) codes with r ∈ {2, m−3}. In Section 4, we show that the rank allows us to classify the RMs (r, m) codes with r ∈ {2, m − 3}. Finally, the conclusions are given in Section 5. rH =
2 2.1
Preliminaries Quaternary Linear Codes
Let C be a quaternary linear code of length n and type 2γ 4δ . Although C is not a free module, every codeword is uniquely expressible in the form γ δ λi ui + μj vj , i=1
j=1
where λi ∈ Z2 for 1 ≤ i ≤ γ, μj ∈ Z4 for 1 ≤ j ≤ δ and ui , vj are vectors in Zn4 of order two and four, respectively. The vectors ui , vj give us a generator matrix G of size (γ + δ) × n for the code C. In [8], it was shown that any quaternary linear code of type 2γ 4δ is permutation equivalent to a quaternary linear code with a canonical generator matrix of the form 2T 2Iγ 0 , (2) S R Iδ where R, T are matrices over Z2 of size δ × γ and γ × (n − γ − δ), respectively; and S is a matrix over Z4 of size δ × (n − γ − δ). The concepts of duality for quaternary linear codes were also studied in [8], n where n the inner product for any two vectors u, v ∈ Z4 is⊥ deﬁned as u · v = i=1 ui vi ∈ Z4 . Then, the dual code of C, denoted by C , is deﬁned in the standard way C ⊥ = {v ∈ Zn4 : u · v = 0 for all u ∈ C}. The corresponding binary code φ(C ⊥ ) is denoted by C⊥ and called the Z4 dual code of C = φ(C). Moreover, the dual code C ⊥ , which is also a quaternary linear code, is of type 2γ 4n−γ−δ . Let u ∗ v denote the componentwise product for any u, v ∈ Zn4 . Lemma 1 ([6],[7]). Let C be a quaternary linear code of type 2γ 4δ and let C = φ(C) be the corresponding Z4 linear code. Let G be a generator matrix of C and let {ui }γi=1 be the rows of order two and {vj }δj=0 the rows of order four in G. Then, C is generated by {φ(ui )}γi=1 , {φ(vj ), φ(2vj )}δj=1 and {φ(2vj ∗ vk )}1≤j
46
2.2
J. Pernas, J. Pujol, and M. Villanueva
Quaternary Linear ReedMuller Codes
Recall that a binary linear r thorder ReedMuller code RM (r, m) with 0 ≤ r ≤ m and m ≥ 2 can be described using the Plotkin construction as follows [11]: RM (r, m) = {(uu + v) : u ∈ RM (r, m − 1), v ∈ RM (r − 1, m − 1)}, where RM (0, m) is the repetition code {0, 1}, RM (m, m) is the universe code, and ”” denotes concatenation. For m = 1, there are only two codes: the repetition code RM (0, 1) and the universe code RM (1, 1). This RM family of codes r m m m−r has length 2 , minimum distance 2 and dimension . Moreover, the i i=0 code RM (r − 1, m) is a subcode of RM (r, m) and the code RM (r, m) is the dual code of RM (m − 1 − r, m) for 0 ≤ r < m. In the recent literature [2],[3],[8],[16],[17] several families of quaternary linear codes have been proposed and studied trying to generalize the RM family. However, when the corresponding Z4 linear codes are taken, they do not satisfy all the same properties as the RM family. In [14],[15], new quaternary linear ReedMuller families, RMs , such that the corresponding Z4 linear codes have the parameters and properties of RM family of codes, were proposed. The following two constructions are necessary to generate these new RMs families. Definition 2 (Plotkin Construction). Let A and B be two quaternary linear codes of length n, types 2γA 4δA and 2γB 4δB , and minimum distances dA and dB , respectively. A new quaternary linear code PC(A, B) is defined as PC(A, B) = {(uu + v) : u ∈ A, v ∈ B}. It is easy to see that if GA and GB are generator matrices of A and B, respectively, then the matrix GA GA GP C = 0 GB is a generator matrix of the code PC(A, B). Moreover, the code PC(A, B) is of length 2n, type 2γA +γB 4δA +δB , and minimum distance d = min{2dA , dB } [14],[15]. Definition 3 (BQPlotkin Construction). Let A, B, and C be three quaternary linear codes of length n; types 2γA 4δA , 2γB 4δB , and 2γC 4δC ; and minimum distances dA , dB , and dC , respectively. Let GA , GB , and GC be generator matrices of the codes A, B, and C, respectively. A new code BQ(A, B, C) is defined as the quaternary linear code generated by ⎛ ⎞ GA GA GA GA ⎜ 0 GB 2GB 3GB ⎟ ⎟ GBQ = ⎜ ⎝ 0 0 GˆB GˆB ⎠ , 0 0 0 GC where GB is the matrix obtained from GB after switching twos by ones in their γB rows of order two, and GˆB is the matrix obtained from GB after removing their γB rows of order two.
Rank for Some Families of Quaternary ReedMuller Codes
47
The code BQ(A, B, C) is of length 4n, type 2γA +γC 4δA +γB +2δB +δC , and minimum distance d = min{4dA , 2dB , dC } [14],[15]. Now, the quaternary linear ReedMuller codes RMs (r, m) of length 2m−1 , for m ≥ 1, 0 ≤ r ≤ m, and 0 ≤ s ≤ m−1 2 , will be deﬁned. For the recursive construction it will be convenient to deﬁne them also for r < 0 and r > m. We begin by considering the trivial cases. The code RMs (r, m) with r < 0 is deﬁned as the zero code. The code RMs (0, m) is deﬁned as the repetition code with only the allzero and alltwo vectors. The code RMs (r, m) with r ≥ m is deﬁned . For m = 1, there is only one family with s = 0, and as the whole space Zm−1 4 in this family there are only the zero, repetition and universe codes for r < 0, r = 0 and r ≥ 1, respectively. In this case, the generator matrix ofRM 0 (0, 1) is G0(0,1) = 2 and the generator matrix of RM0 (1, 1) is G0(1,1) = 1 . For any m ≥ 2, given RMs (r, m − 1) and RMs (r − 1, m − 1) codes, where 0 ≤ s ≤ m−2 2 , the RMs (r, m) code can be constructed in a recursive way using the Plotkin construction given by Deﬁnition 2 as follows: RMs (r, m) = PC(RMs (r, m − 1), RMs (r − 1, m − 1)). For example, for m = 2, the generator matrices of RM0 (r, 2), 0 ≤ r ≤ 2, are the following: 02 10 G0(0,2) = 2 2 ; G0(1,2) = ; G0(2,2) = . 11 01 Note that when m is odd, the RMs family with s = m−1 can not be generated 2 using the Plotkin construction. In this case, for any m ≥ 3, m odd and s = m−1 2 , given RMs−1 (r, m − 2), RMs−1 (r − 1, m − 2) and RMs−1 (r − 2, m − 2), the RMs (r, m) code can be constructed using the BQPlotkin construction given by Deﬁnition 3 as follows: RMs (r, m) = BQ(RMs−1 (r, m−2), RMs−1 (r−1, m−2), RMs−1 (r−2, m−2)). For example, for m = 3, there are two families. The RM0 family can be generated using the Plotkin construction. On the other hand, the RM1 family has to be generated using the BQPlotkin construction. The generator matrices of RM1 (r, 3), 0 ≤ r ≤ 3, are the following: G1(0,3) = 2 2 2 2 ; ⎛ ⎛ ⎞ ⎞ 1111 1111 ⎜0 1 2 3⎟ ⎜0 1 2 3⎟ 1111 ⎜ ⎟ ⎟ G1(1,3) = ; G1(2,3) = ⎜ ⎝ 0 0 1 1 ⎠ ; G1(3,3) = ⎝ 0 0 1 1 ⎠ . 0123 0002 0001 Table 1 shows the type 2γ 4δ of all these RMs (r, m) codes for m ≤ 10. The following proposition summarizes the parameters and properties of these RMs families of codes. Proposition 4 ([14],[15]). A quaternary linear ReedMuller code RMs (r, m), with m ≥ 1, 0 ≤ r ≤ m, and 0 ≤ s ≤ m−1 2 , has the following parameters and properties:
48
J. Pernas, J. Pujol, and M. Villanueva
1. the length is n = 2m−1 ; 2. the minimum distance is d = 2m−r ; 3. 4. 5. 6.
3
r m the number of codewords is 2 , where k = ; i i=0 the code RMs (r − 1, m) is a subcode of RMs (r, m) for 0 ≤ r ≤ m; the codes RMs (1, m) and RMs (m−2, m), after the Gray map, are Z4 linear Hadamard and Z4 linear extended perfect codes, respectively; the code RMs (r, m) is the dual code of RMs (m − 1 − r, m) for −1 ≤ r ≤ m. k
Rank for Some Infinite Families of RMs(r, m) Codes
In this section, we will compute the rank for some inﬁnite families of the quaternary linear ReedMuller codes RMs (r, m). The rank of RMs (r, m) will be denoted by rs(r,m) instead of rRMs (r,m) . First of all, we will recall the result that gives us which of the RMs (r, m) codes are binary liner codes after the Gray map. Note that if we have a quaternary linear code of type 2γ 4δ which is a binary linear code after the Gray map, we can compute the rank as γ + 2δ [6],[7]. Proposition 5 ([13]). For all m ≥ 1, the corresponding Z4 linear code of the RMs (r, m) code is a binary linear code if and only if ⎧ ⎨ s = 0 and r ∈ {0, 1, 2, m − 1, m}, s = 1 and r ∈ {0, 1, m − 1, m}, ⎩ s ≥ 2 and r ∈ {0, m − 1, m}. Now, we will give an expression for the parameters γ and δ of a quaternary linear ReedMuller code RMs (r, m) of type 2γ 4δ , depending on s, r and m. Lemma 6. Let C be a quaternary linear ReedMuller code RMs (r, m) of type 2γ 4δ . Then, for s ≥ 0, m ≥ 2s + 1 and 0 ≤ r ≤ m, r2 m − 2s − 1 s γ= r − 2i i i=0
and
r 1 m γ δ= − . 2 i=0 i 2
The next proposition gives us an important result for these quaternary linear ReedMuller codes. In some cases, we obtain two codes with the same rank, but diﬀerent s. We will prove that these codes are equal. This proposition will be used for the classiﬁcation of some of the RMs (r, m) codes in Section 4, and it will also be used to calculate the rank of these codes as exceptions. Proposition 7. Given two codes RMs (r, m) and RMs−1 (r, m) of type 2γ 4δ and 2γ 4δ , respectively, such that m ≥ 3 is odd, r ≥ 2 is even, and s = m−1 2 , then RMs (r, m) = RMs−1 (r, m).
Rank for Some Families of Quaternary ReedMuller Codes
49
Proof. The generator matrix Gs−1(r,m) of RMs−1 (r, m) is obtained using the Plotkin construction from RMs−1 (r − 1, m − 1) and RMs−1 (r, m − 1). Furthermore, the generator matrices of RMs−1 (r − 1, m − 1) and RMs−1 (r, m − 1) can be obtained using Plotkin construction again from codes with m − 2 value. So we can write the generator matrix Gs−1(r,m) as follows: ⎛ ⎞ Gs−1(r,m−2) Gs−1(r,m−2) Gs−1(r,m−2) Gs−1(r,m−2) ⎜ 0 Gs−1(r−1,m−2) 0 Gs−1(r−1,m−2) ⎟ ⎟. Gs−1(r,m) = ⎜ ⎝ 0 0 Gs−1(r−1,m−2) Gs−1(r−1,m−2) ⎠ 0 0 0 Gs−1(r−2,m−2) The generator matrix Gs(r,m) of RMs (r, m) can be obtained using the BQPlotkin construction given by Deﬁnition 3. Since r is even and m is odd, r − 1 and m − 2 are odd. In this case any RMs−1 (r − 1, m − 2) code, where s = m−1 2 , is of type 20 4δ . This result can be proved by induction on m and using the BQ Plotkin construction. Since Gs−1(r−1,m−2) is of type 20 4δ , then Gs−1(r−1,m−2) = ˆ Gs−1(r−1,m−2) and Gs−1(r−1,m−2) = Gs−1(r−1,m−2) . It is easy to ﬁnd a linear combination of rows that transforms the matrix Gs−1(r,m) into the matrix Gs(r,m) . Now, we will give a recursive way to compute the rank for all ReedMuller codes in the RM0 and RM1 families. Note that the ﬁrst binary nonlinear code is RM0 (3, 5). Thus, for m < 5 the rank is γ + 2δ. Proposition 8. Let C be a quaternary linear ReedMuller code RM0 (r, m). The rank of C for m ≥ 5 is 0 if r ∈ {0, 1, 2, m − 1, m} r0(r,m) = r0(r,m−1) + r0(r−1,m−1) + m−2 if r ∈ {3, . . . , m − 2} 2r−3 Proposition 9. Let C be a quaternary linear ReedMuller code RM1 (r, m). The rank of C for m ≥ 5 is ⎧ if r ∈ {0, 1, m − 1, m} ⎨0 r1(r,m) = r1(r,m−1) + r1(r−1,m−1) + m − 2 if r = 2 ⎩ m−1 if r ∈ {3, . . . , m − 2}. 2 2r−3 The next proposition gives the rank for all quaternary linear ReedMuller codes with r ∈ {0, 1, m − 3, m − 2, m − 1, m} and any s. Proposition 10. Let RMs (r, m) be a quaternary linear ReedMuller code of type 2γ 4δ . The rank of RMs (r, m) can be computed as ⎧ γ + 2δ if r ∈ {0, m − 1, m} ⎪ ⎪ ⎪ γ + 2δ ⎪ ⎨ if r = 1 and s ∈ {0, 1} rs(r,m) = γ + 2δ + δ−1 if r = 1 and s ≥ 2 2 ⎪ m−1 ⎪ 2 + δ if r = m − 3 and m > 6 ⎪ ⎪ ⎩ m−1 2 +δ if r = m − 2 and m > 4.
50
J. Pernas, J. Pujol, and M. Villanueva
Finally, the next proposition gives a recursive way to compute the rank of all quaternary linear ReedMuller codes with r = 2 and any s. Proposition 11. Let RMs (2, m) be a quaternary linear ReedMuller code of type 2γ 4δ . The rank of RMs (2, m) can be computed as s+1 (m − s − 3), rs(2,m) = rs(2,m−1) + rs(1,m−1) + 2s + 2 except when m is odd and s =
m−1 2 ,
since the rank is rs(2,m) = rs−1(2,m) .
When m is odd and s = m−1 2 , by Proposition 7, the codes RMs (2, m) and RMs−1 (2, m) are equals. Thus, the rank is also the same. Note that, for s = 0 and r = 2, we have a binary linear code and the rank is γ + 2δ.
4
Classification of Some Families of RMs(r, m) Codes
In this section, we will show that this invariant, the rank, will allow us to classify these RMs (r, m) codes in some cases depending on the parameter r. This classiﬁcation was given for r = 1 and r = m − 2 [5], [10]. Now, we will extend this result for r = 2 and r = m − 3. We are close to generalize this result for all 0 ≤ r ≤ m, but it is not easy to obtain a general form to compute the rank for all quaternary linear ReedMuller codes RMs (r, m). Table 1 shows the type 2γ 4δ and the rank of all these RMs (r, m) codes for m ≤ 10. In these examples, you can see that the rank is always diﬀerent, except for the codes quoted in Proposition 7. If two codes have diﬀerent rank, we can say that they are nonisomorphic. The next theorem proves that for a given m ≥ 4, and r ∈ {2, m − 3}2, the RMs (r, m) codes have diﬀerent rank, so they are nonisomorphic. In some cases, there is an exception, but we know by Proposition 7 that the codes are equal. Theorem 12. For all m ≥ 4 and r ∈ {2, m − 3}, there are at least m+1 2 nonisomorphic binary codes with the same parameters as the code RM (r, m), except when m is odd, and r is even. In this case, there are at least m−1 nonisomorphic 2 binary codes with the same parameters as the code RM (r, m). Proof. By Proposition 11, we know that rs(2,m) = rs(2,m−1) + rs(1,m−1) + 2s + s+1 increases or 2 (m − s − 3). If r = 1, the code is Hadamard and rs(1,m−1) is equal to, depending on s. For m ≥ 4 the expression 2s + s+1 (m − s − 3) 2 also increases, depending on s. We can suppose that rs(2,m−1) is crescent on s for m = 4 and proceed by induction on m. Therefore, rs(2,m) is diﬀerent for every s, except when m is odd, where we have two codes with the same rank. By Proposition 7, these two codes are equal. By Proposition 10, we know that rs(m−3,m) = 2m−1 + δ. In Proposition 6, we can see a way to compute γ. Since r = m − 3, then the value of γ is decreasing on s. Thus, δ is crescent and the rank is also crescent, depending on s. When m is odd and r is even, we have again the case of two equal codes, solved in Proposition 7.
Rank for Some Families of Quaternary ReedMuller Codes
51
Table 1. Type 2γ 4δ and rank rs(r,m) for all RMs (r, m) codes with m ≤ 10 and r ∈ {0, 1, 2, 3}, showing them in the form (γ, δ) rs(r,m) m 1 2 3 4 5 6
7
8
9
10
5
HHr 0 s H 0 0 0 1 0 1 0 1 2 0 1 2 0 1 2 3 0 1 2 3 0 1 2 3 3 0 1 2 3 3
(1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0) (1,0)
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
(0,1) (1,1) (2,1) (0,2) (3,1) (1,2) (4,1) (2,2) (0,3) (5,1) (3,2) (1,3) (6,1) (4,2) (2,3) (0,4) (7,1) (5,2) (3,3) (1,4) (8,1) (6,2) (4,3) (2,4) (0,5) (7,1) (5,2) (3,3) (1,4) (1,5)
2 2 3 4 4 5 5 6 6 7 7 7 8 8 8 9 11 9 9 10 12 10 10 11 13 16 11 11 12 14 17
(0,2) 4 (1,3) 7 (1,3) 7 (3,4) 11 (1,5) 13 (6,5) 16 (2,7) 21 (2,7) 21 (10,6) 22 (4,9) 31 (2,10) 35 (15,7) 29 (7,11) 43 (3,13) 53 (3,13) 53 (21,8) 37 (11,13) 57 (5,16) 75 (3,17) 82 (28,9) 46 (16,15) 73 (8,19) 101 (4,21) 118 (4,21) 118 (36,10) 56 (22,17) 91 (12,22) 131 (6,25) 161 (4,26) 172
m−3
(. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . ) (. . . )
(1,0) 1 (1,0) 1 (3,1) 5 (1,2) 5 (6,5) 16 (2,7) 21 (2,7) 21 (10,16) 47 (4,19) 51 (2,20) 52 (15,42) 106 (7,46) 110 (3,48) 112 (3,48) 112 (21, 99) 227 (11,104) 232 (5,107) 235 (3,108) 236 (28,219) 475 (16,225) 481 (8,229) 485 (4,231) 487 (4,231) 487 (36,466) 978 (22,473) 985 (12,478) 990 ( 6,481) 993 ( 4,482) 994
m−2
m−1
m
(1,0) 1 (2,1) 4 (0,2) 4 (3,4) 11 (1,5) 13 (4,11) 27 (2,12) 28 (0,13) 29 (5,26) 58 (3,27) 59 (1,28) 60 (6,57) 121 (4,58) 122 (2,59) 123 (0,60) 124 (7,120) 248 (5,121) 249 (3,122) 250 (1,123) 251 (8,247) 503 (6,248) 504 (4,249) 505 (2,250) 506 (0,251) 507 (9,502) 1014 (7,503) 1015 (5,504) 1016 (3,505) 1017 (1,506) 1018
(1,0) 1 (1,1) 3 (1,3) 7 (1,3) 7 (1,7) 15 (1,7) 15 (1,15) 31 (1,15) 31 (1,15) 31 (1,31) 63 (1,31) 63 (1,31) 63 (1,63) 127 (1,63) 127 (1,63) 127 (1,63) 127 (1,127) 255 (1,127) 255 (1,127) 255 (1,127) 255 (1,255) 511 (1,255) 511 (1,255) 511 (1,255) 511 (1,255) 511 (1,511) 1023 (1,511) 1023 (1,511) 1023 (1,511) 1023 (1,511) 1023
(0,1) 2 (0,2) 4 (0,4) 8 (0,4) 8 (0,8) 16 (0,8) 16 (0,16) 32 (0,16) 32 (0,16) 32 (0,32) 64 (0,32) 64 (0,32) 64 (0,64) 128 (0,64) 128 (0,64) 128 (0,64) 128 ( 0,128) 256 ( 0,128) 256 ( 0,128) 256 ( 0,128) 256 (0,256) 512 (0,256) 512 (0,256) 512 (0,256) 512 (0,256) 512 (0,512) 1024 (0,512) 1024 (0,512) 1024 (0,512) 1024 (0,512) 1024
Conclusions
In a recent paper [15], new families of quaternary linear codes, the RMs (r, m) codes, are constructed in such a way that, after the Gray map, the Z4 linear codes fulﬁll the same properties and fundamental characteristics as the binary linear ReedMuller codes. In this paper, a structural invariant for binary codes, the rank, is used to classify some of these new families of codes. Speciﬁcally, we classiﬁed the RMs (r, m) codes with r ∈ {2, m − 3}. The RMs (r, m) codes with r ∈ {0, 1, m − 2, m − 1, m} were already classiﬁed using the rank [5],[10]. As a future research, it would be interesting to compute the rank for the RMs (r, m) codes with r ∈ {3, . . . , m − 4} and s ≥ 2, in order to see whether it is possible to obtain a full classiﬁcation of all these RMs (r, m) codes using this invariant. In this paper, we also proved that, when m is odd, m ≥ 5, and r is even, there are two codes with the same rank, because these two codes are equal. Moreover, we also computed the rank for all codes in the RM0 and RM1 families.
References 1. Bierbrauer, J.: Introduction to coding theory. Chapman & Hall/CRC, Boca Raton (2005) 2. Borges, J., Fern´ andez, C., Phelps, K.T.: Quaternary ReedMuller codes. IEEE Trans. Inform. Theory 51(7), 2686–2691 (2005) 3. Borges, J., Fern´ andezC´ ordoba, C., Phelps, K.T.: “ZRM codes”. IEEE Trans. Inform. Theory 54(1), 380–386 (2008)
52
J. Pernas, J. Pujol, and M. Villanueva
4. Borges, J., Phelps, K.T., Rif` a, J., Zinoviev, V.A.: On Z4 linear Preparatalike and Kerdocklike codes. IEEE Trans. Inform. Theory 49(11), 2834–2843 (2003) 5. Borges, J., Phelps, K.T., Rif` a, J.: The rank and kernel of extended 1perfect Z4 linear and additive nonZ4 linear codes. IEEE Trans. Inform. Theory 49(8), 2028– 2034 (2003) 6. Fern´ andezC´ ordoba, C., Pujol, J., Villanueva, M.: On rank and kernel of Z4 linear codes. In: Barbero, A. (ed.) ICMCTA 2008. LNCS, vol. 5228, pp. 46–55. Springer, Heidelberg (2008) 7. Fern´ andezC´ ordoba, C., Pujol, J., Villanueva, M.: Z2 Z4 linear codes: rank and kernel. Discrete Applied Mathematics (2008) (submitted), arXiv:0807.4247 8. Hammons, A.R., Kumar, P.V., Calderbank, A.R., Sloane, N.J.A., Sol´e, P.: The Z4 linearity of Kerdock, Preparata, Goethals and related codes. IEEE Trans. Inform. Theory 40, 301–319 (1994) 9. Huﬀman, W.C., Pless, V.: Fundamentals of ErrorCorrecting Codes. Cambridge University Press, Cambridge (2003) 10. Krotov, D.S.: Z4 linear Hadamard and extended perfect codes. In: International Workshop on Coding and Cryptography, Paris, France, January 812, pp. 329–334 (2001) 11. MacWilliams, F.J., Sloane, N.J.A.: The Theory of ErrorCorrecting Codes. NorthHolland Publishing Company, Amsterdam (1977) 12. Phelps, K.T., Rif` a, J., Villanueva, M.: On the additive (Z4 linear and nonZ4 linear) Hadamard codes: rank and kernel. IEEE Trans. Inform. Theory 52(1), 316– 319 (2006) 13. Pernas, J., Pujol, J., Villanueva, M.: Kernel dimension for some families of quaternary ReedMuller codes. In: Calmet, J., Geiselmann, W., M¨ ullerQuade, J. (eds.) Beth Festschrift. LNCS, vol. 5393, pp. 128–141. Springer, Heidelberg (2008) 14. Pujol, J., Rif` a, J., Solov’eva, F.I.: Quaternary Plotkin constructions and quaternary ReedMuller codes. In: Bozta¸s, S., Lu, H.F(F.) (eds.) AAECC 2007. LNCS, vol. 4851, pp. 148–157. Springer, Heidelberg (2007) 15. Pujol, J., Rif` a, J., Solov’eva, F.I.: Construction of Z4 linear ReedMuller codes. IEEE Trans. Inform. Theory 55(1), 99–104 (2009) 16. Solov’eva, F.I.: On Z4linear codes with parameters of ReedMuller codes. Problems of Inform. Trans. 43(1), 26–32 (2007) 17. Wan, Z.X.: Quaternary codes. World Scientiﬁc Publishing Co. Pte. Ltd., Singapore (1997)
Optimal Bipartite Ramanujan Graphs from Balanced Incomplete Block Designs: Their Characterizations and Applications to Expander/LDPC Codes Tom Høholdt1 and Heeralal Janwal2 1
Institute for Mathematics, Technical University of Denmark, Denmark [email protected] 2 Department of Mathematics and Computer Science, University of Puerto Rico (UPR), Rio Piedras Campus, P.O. Box: 23355, San Juan, PR 00931  3355 [email protected]
Abstract. We characterize optimal bipartite expander graphs and give necessary and suﬃcient conditions for optimality. We determine the expansion parameters of the BIBD graphs and show that they yield optimal expander graphs that are also bipartite Ramanujan graphs. In particular, we show that the bipartite graphs derived from ﬁnite projective and aﬃne geometries yield optimal Ramanujan graphs. This in turn leads to a theoretical explanation of the good performance of a class of LDPC codes. Keywords: Bipartite graphs, expander graphs, eigenvalues of graphs, Ramanujan graphs, BIBD, ﬁnite geometries, LDPC and expander codes.
1
Introduction
An expander graph is a highly connected “sparse” graph (see, for example [51]). Expander graphs have numerous applications including those in communication science, computer science (especially complexity theory), network design, cryptography, combinatorics and pure mathematics (see the books and articles in the Bibliography). Expander graphs have played a prominent role in recent developments in coding theory (LDPC codes, expander codes, linear time encodable and decodable codes, codes attaining the Zyablov bound with low complexity of decoding) (see [55], [53], [54], [48], [57], [58], [38] [8],[27], [26], [4], [13], and others). We shall consider graphs X = (V, E), where V is the set of vertices and E is the set of edges of X . We will assume that the graph is undirected and connected and we shall only consider ﬁnite graphs. For F ⊂ V , the boundary ∂F is the set of edges connecting F to V \ F . The expanding constant, or isoperimetric constant of X is deﬁned as, ∂F  h(X ) = min ∅=F ⊂V min{F , V \ F } M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 53–64, 2009. c SpringerVerlag Berlin Heidelberg 2009
54
T. Høholdt and H. Janwal
If X is viewed as the graph of a communication network, then h(X ) measures the “quality” of the network as a transmission network. In all applications, the larger the h(X ) the better, so we seek graphs (or families of graphs) with h(X ) as large as possible with some ﬁxed parameters. It is wellknown that the expansion properties of a graph are closely related to the eigenvalues of the adjacency matrix A of the graph X = (V, E); it is indexed by pairs of vertices x, y of X and Axy is the number of edges between x and y. When X has n vertices, A has n real eigenvalues, repeated according to multiplicities that we list in decreasing order μ0 ≥ μ1 ≥ . . . ≥ μn−1 It is also known that if X is Dregular, i.e. all vertices have degree D, then μ0 = D and if morover the graph is connected μ1 < D. Also X is bipartite if and only if −μ0 is an eigenvalue of A. We recall the following Theorem 1. Let X be a finite, connected , Dregular graph then (D − μ1 )/2 ≤ h(X ) ≤ 2D(D − μ1 ) and Theorem 2. Let (Xm )m≥1 be a family of finite connected, Dregular graphs with Vm  → +∞ as m → ∞. Then √ lim inf μ1 (Xm ) ≥ 2 D − 1. N →∞
This leads to the following Deﬁnition 1. A finite connected, Dregular graph X is Ramanujan if, for every eigenvalue μ of A other than ±D, one has √ μ ≤ 2 D − 1. We will also need Deﬁnition 2 (Bipartite Ramanujan Graphs). Let X be a√(c, d)regular √ bipartite graph. Then X is called a Ramanujan graph if μ1 (X ) ≤ c − 1 + d − 1. In this article, we address the optimality of expander graphs and the property of being Ramanujan for: A Dregular graphs; B (c, d)regular bipartite graphs; C Irregular bipartite graphs. We also show that the bipartite graphs of Balanced Incomplete Block Designs yield optimal Ramanujan graphs (meaning that we have equality in deﬁnition 1). Furthermore, we show that the bipartite graphs derived from ﬁnite projective and aﬃne geometries (PG/EG) also yield optimal Ramanujan graphs.
Optimal Bipartite Ramanujan Graphs
2
55
Optimal Expander Graphs and Balanced Incomplete Block Designs
Unless otherwise speciﬁed, for background on block designs, we follow Hall [14]. Deﬁnition 3. A balanced incomplete block design (BIBD) D with parameters (v, b, r, k, λ) is an incidence structure with a set V of v distinct varieties (or objects) denoted a1 , · · · , av and a set B of b distinct blocks denoted B1 , · · · , Bb , such that each of the b blocks is incident with k varieties, and each of the v varieties is incident with r blocks, and every pair of varieties is incident with precisely λ blocks. The design is called symmetric if b = v and its parameters are denoted by (v, k, r). Proposition 1. For a (BIBD) D with parameters (v, b, r, k, λ), 1. b · k = v · r 2. r(k − 1) = λ(v − 1) Remark 1. For a BIBD, Fisher’s inequality implies that b ≥ v and hence r ≥ k and for symmetric designs b = v, and r = k. Furthermore, in any (v, k, r) symmetric block design, every pair of blocks is incident with precisely λ varieties, and if v is even then k − λ is a square. Deﬁnition 4. A BIBD can be described by a v × b incidence matrix H := (hij ), where for 1 ≤ i ≤ v and 1 ≤ j ≤ b, hij = 1 if ai is incident with Bj , and hij := 0 else. Then D is a block design if and only if the following system of equations hold. B := HH T = (r − λ)I + λJv
(1v )T H = k1b
(1)
where Jv is the v×v all 1’s matrix, and 1v and 1b are all 1’s vectors of appropriate lengths. 2.1
The Bipartite Graph of a BIBD
Deﬁnition 5. Let D be a BIBD. The bipartite graph XD has left set of vertices V and right set of vertices B and the adjacency of the left and right vertices is defined by the incidence structure of the design. It is clear that the left vertices of XD all have degree r and the right vertices all have degree k so the graph is what is called (r, k)regular. In the symmetric case all vertices have degree r so the graph is rregular. The adjacency matrix of the bipartite graph XD is then, 0 H A= (2) HT 0 We will from the following proposition from [18] determine the eigenvalues of A.
56
T. Høholdt and H. Janwal
Proposition 2. Let M be a Hermitian matrix. 1. M is diagonalizable by a Unitary matrix. 2. The geometric multiplicity of an eigenvalue of M equals its algebraic multiplicity. 3. All the eigenvalues of M are real. l 4. If PM (x) = i=1 (x − λi )mi is the characteristic polynomial of M with distinct real eigenvalues λi with algebraic multiplicities mi , then the minimal polynomial of M is mM (x) = li=1 (x − λi ) With notations as above we can now prove Lemma 1. 1. The characteristic and minimal polynomials of B = HH T are PB (x) = (x − r · k)(x − (r − λ))v−1 , mB (x) = (x − r · k)(x − (r − λ)). 2. The characteristic and minimal polynomials of C = H T H are, PC (x) = xb−v (x − r · k)(x − (r − λ))v−1 , mC (x) = x(x − r · k)(x − (r − λ)). Proof. The matrix Jv has eigenvalue v with multiplicity 1 and corresponding eigenvector 1v , and eigenvalue 0 with multiplicity (v − 1) with eigenspace W = {Y Y ⊥ 1v }. And all eigenvectors are also eigenvectors of I. From the relation 1, we conclude that r · k is an eigenvalue of B with eigenvector 1v , and (r − λ) with eigenspace W , and hence multiplicity (v − 1). Therefore, PB (X) = (x − r · k)(x − (r − λ))v−1 . Since B is a symmetric matrix, from Proposition 2, we have mB (x) = (x − r · k)(x − (r − λ)). Since HH T and H T H have the same nonzero eigenvalues with the same multiplicities ([11] p.186 ) we get PC (x) = xb−v (x − r · k)(x − (r − λ))v−1 , and from Propostion 2 mC (x) = x(x − r · k)(x − (r − λ)).
Q.E.D.
This in turn leads to Theorem 3. The adjacency matrix of the A of the bipartite √ graph XD √ of a (x) = (x− k · r)(x+ k · r) (v, b, r, k, λ) BIBD has characteristic polynomial P A √ √ v−1 v−1 b−v (x − r − λ) (x + r − λ) x , and minimal polynomial m (x) = (x − A √ √ √ √ k · r)(x + k · r)(x − r − λ)(x + r − λ)x. In particular, the eigenvalues are √ √ k · r with multiplicity 1, r − λ with multiplicity v−1, 0 with multiplicity b−v, √ √ − r − λ with multiplicity v − 1, and − k · r with multiplicity 1. Proof. First
HH T 0 AA = A = 0 HT H T
2
(3)
Therefore, the characteristic polynomial PA2 (x) = PB (x)PC (x). Therefore, from Lemma 1, PA2 (x) = (x − r · k)2 (x − (r − λ))2(v−1) xb−v . It is clear that PA2 (x2 ) = PA (x)PA (−x) and since the graph is bipartite we have PA (−x) = (−1)v+b PA (x) ( [11] p. 31) and hence
Optimal Bipartite Ramanujan Graphs
57
(−1)v+b (PA (x))2 = PA2 (x2 ) = (x2 − r · k)2 (x2 − (r − λ))2(v−1) x2(b−v) so we have PA (x) = ±(x2 − r · k)(x2 − (r − λ))v−1 xb−v and the theorem follows directly.
(4) Q.E.D.
Theorem 4. (I) The bipartite graph XD of a (v, √ b, r, k, λ) BIBD is a (r, k)regular bipartite Ramanujan graph with μ1 = r − λ. (II) The rregular graph of √ a symmetric BIBD is an rregular bipartite Ramanujan graph with μ1 = r − λ. Proof. The proofs of (I) and (II) follow from Theorem 1 by applying the deﬁnition of Ramanujan graphs and following the inequalities. Q.E.D. We also will show that the bipartite graph of a BIBD is an optimal expander graph for its parameters.
3
Characterization of Optimal Bipartite (c, d) Regular Expander Graphs
We recall that a matrix A with rows and columns indexed by a set X is called irreducible when it is not possible to ﬁnd a proper subset of X so that A(x, y) = 0 whenever x ∈ S and y ∈ X \ S. Equivalently, A is not irreducible if and only if it is possible to apply a simultaneous row and column permutation a matrix in a square block form so that one of the blocks is a zero block. For the following Lemma, see for example ([18] p. 363). Lemma 2. Let D be a finite graph. Then the adjacency matrix of A is irreducible if and only if D is connected. We shall also need Proposition 3 (PerronFrobenius). Let A be an irreducible nonnegative matrix. Then, there is up to scalar multiples, a unique nonnegative eigenvector a := (a1 , a2 , · · · , an ) all of whose coordinates ai are strictly positive. The corresponding eigenvalue μ0 (called the dominant eigenvalue of A has algebraic multiplicity 1 and μ0 ≥ μi for any eigenvalue μi of A. We recall the following special case of CourantFisher Theorem (called the RaleighRitz Theorem) (see for example, ([18], Theorem 4.2.2)) Theorem 5. Let A be an n × n Hermitian matrix over the complex field C, then it is known that all its eigenvalues are real, with maximum eigenvalue μmax . ∗T For 0 = X ∈ C n , define the Raleigh quotient RX := XX ∗ TAX . Then μmax = X maxX=0 RX . Furthermore, RX ≤ μmax with equality if and only if X is an eigenvector corresponding to the eigenvalue μmax .
58
T. Høholdt and H. Janwal
Deﬁnition 6. Let X be a bipartite graph with average left degrees c and average right degree d. Define v := E/c and b := E/d. Let μ1 := maxγ {γγ = μmax }, where the maximization is over the eigenvalues of X , and μmax is the maximum eigenvalue of the adjancency matrix of X . Theorem 6. Let X be a connected bipartite graph with average left √ degrees c and average right degree d and maximum eigenvalue μmax . Then cd ≤ μmax with equality if and only is X is a (c, d)regular bipartite graph. Proof. If X is a (c, d)regular bipartite graph, with adjancy matrix 0 H A= HT 0 d then it is easy to see that [1, 1, . . . , 1, τ, . . . , τ ] where τ = c is an eigenvec√ tor corresponding to the eigenvalue cd and then the inequality and equality follow from the PerronFrobenius theorem (3). Conversely, assume that X is a connected bipartite graph on v left vertices of average degree c and b right vertices of average degree d and maximum eigenvalue μmax . Deﬁne Z:=
[1, 1, · · · , 1, τ, · · · , τ ]T , in which the ﬁrst v component are 1, and where τ := dc . √ √ Then one can see that RZ = cd and therefore cd ≤ μmax . If we have equality then RZ = μmax , and from the CourantFisher Theorem Z is an eigenvector corresponding to the √maximal eigenvalue RZ . Therefore, AZ = μmax Z. By assumption, then AZ = cdZ. By solving the simultaneous equations, we get that cvi = c for every left vertex vi , and dbj = d for every right vertex bj . Consequently, X is a (c, d) regular graph. Q.E.D. Theorem 7. Let X be a connected graph such that both ±μmax are eigenvalues (i.e. it is a bipartite with say v left vertices and b right vertices). Suppose that 1 2 1 2 μi μi · = μ2max . 2v μ 2b μ i
i
Then X is a (c, d)regular graph, where c := E/v and d := E/b Proof. By of the adjacency matrix, T race(AAT ) = 2E. But T race
deﬁnition T 2 (AA ) = μi μi Since, c := E/v and d = E/b, by assumption we get cd = μ2max and therefore by Theorem 6, X is a (c, d) regular graph with c := E/v and d := E/b. Q.E.D. Theorem 8. Suppose that X is a bipartite graph with v left vertices and b right vertices where b ≥ v ≥ 2. Suppose the eigenvalues are ±α with multiplicity 1, ±β with multiplicity (v − 1), 0 with multiplicity (b − v) (and α > β > 0). If α2 + (v − 1)β 2 = α2 bv
Optimal Bipartite Ramanujan Graphs
59
then X is the graph of a balanced incomplete block design with parameters (b, v, r, k, λ), where 2 2 2 2 r = α +(v−1)β , k = α +(v−1)β and λ = r − β 2 . b v Proof. With r and k as above we have that r = E v is the avearge degree of the left vertices and k = E is the average degree of the right vertices. But then √b by the condition we get rk = α so by Theorem 7, X is a bipartite (r, k)regular graph. √ √ √ √ √ √ √ Let √ X = [ r, r, · · · , r, k, k, · · · , k], where the multiplicity of r is v, and k is b. √ Then we can verify that AX = r · kX. Therefore, √ (5) AT AX = r · kAX = (rk)X T 0 H HH 0 Let A = . Then AAT = A2 = . HT 0 0 HT H Let B = HH T , where H is the leftright incidence matrix of the bipartite graph, and let Q = H T H. Hence,√ from of H, we can conﬁrm that BY = r · kY, where √ the deﬁnition √ Y = [ r, r, · · · , r]T . Consequently Z = [1, 1, · · · , 1]T is an eigenvector corresponding to the eigenvalue r · k. Then by ([11] p.186), B has eigenvalues α = r · k with multiplicity 1, β with multiplicity (v − 1). Therefore, the minimal polynomial of B is mB (x) = (x−α)q(x), where q(x) = (x − β). (Since B is real symmetric, it is diagonalizable by an orthonormal basis, and therefore its minimal polynomial is composed of distinct factors). Substituting B for X, we have Bq(B) = r · kq(B). Since α is a simple eigenvalue of B with eigenvector Z, q(B) has columns that are multiples of Z. However q(B) is symmetric, as B is symmetric, we conclude that all the column multiples are the same scalar c, i.e. q(B) = cJ, where J is the v × v matrix of all 1’s. Hence B − β 2 Iv = B − (r − λ)Iv = c · J. Hence, B = (r − λ)Iv + c · Jv . By taking Trace both sides, and since T race(B) = T race(HH T ) = rv, we conclude that c = λ. Hence B = HH T = (r − λ)I + λJ, and 1v H = k.1b since the graph is a bipartite graph. Therefore, H is the incidence matrix of a (v, b, r, k, λ) BIBD. Q.E.D. 3.1
Bounds on the Eigenvalues of Irregular Bipartite Graphs
Theorem 9. Let X be a connected bipartite graph with average left degree c and average right degree d. Let v := E/c and b := E/d (we assume b ≥ v) and maximum eigenvalue μmax . Then
60
T. Høholdt and H. Janwal
μ1 ≥
E − μ2max v−1
1/2
with equality if and only if the eigenvalues are ±μmax (with multiplicity 1), ±μ1 (with multiplicity (v − 1), and 0 with multiplicity b − v. Proof. Since X is a connected bipartite graph, the set of eigenvalues is S(X ) := {±μmax , ±μ1 , ±μ2 , ± · · · ± μN −1 , 0} with 2N nonzero eigenvalues, where the absolute values are in decreasing order. HH T 0 Since AAT = A2 = 0 HT H we get by taking the trace, T race(A2 ) = T race(HH T ) + T race(H T H) = vc + b · d = E + E = 2E. Therefore, 2E = T race(A2 ) = 2μmax 2 + 2μ1 2 +
N −1 2 i=2 [μ2i ≤ 2μmax 2 + 2(N − 1)μ1 2 . Hence μ1 ≥
E − μ2max N −1
1/2 ≥
E − μ2max v−1
1/2
where the last inequality follows from the fact that N ≤ v. It is clear that equality occurs if and only if the eigenvalues are ±μmax with multiplicity 1, ±μ1 with multiplicity (v − 1), and 0 with multiplicity b − v. Q.E.D. Corollary 1. Let X be a connected√(c, d)regular bipartite graph. Define v := E/c and b := E/d. Then μmax = c · d, and μ1 ≥
E − μ2max v−1
1/2
with equality if the eigenvalues are ±μmax (with multiplicity 1), ±μ1 (with multiplicity (v − 1)), and 0 with multiplicity b − v. We can now derive the central theorem in this paper: Theorem 10. The bipartite graph XD of a √ (v, b, r, k, λ) BIBD is a (r, k)regular bipartite Ramanujan graph with μ1 (X) = r − λ, and it is optimal expander graph with these parameters.
4
Optimal Ramanujan Graphs from Finite Geometries
In this we consider special type of BIBD that are highly structured, namely those coming from Finite Aﬃne and Projective Geometries. The corresponding class of bipartite graphs from P G(n, IFq ) and EG(n, IFq ) coming from subspaces, yield us, by way of Theorem 12 optimal bipartite expander graphs. The class has been used to construct good LDPC codes ( [38], [39] , [40]) and our results on the eigenvalues and hence the expansion coeﬃcient give a partial theoretical explanation of the good performance of these codes.
Optimal Bipartite Ramanujan Graphs
4.1
61
Optimal Bipartite Ramanujan Graphs of Projective Geometries
Let IFq be the ﬁnite ﬁeld with q = pm elements. Let n ≥ 2 be an integer, and let s be an integer such that 1 ≤ s ≤ n − 1. We consider the incidence structure X (n, s, q) = (V, B), where V = the points of the ndimensional projective geometry P G(n, q), and B = {S dim S = s and S a subspace of P G(n, q)}. Proposition 4 (Hall [14]). The graph of the incidence structure X (n, s, q) is a bipartite graph of a (v, b, r, k, λ) BIBD with parameters b = (qn+1 −1)(qn+1 −q)···(qn+1 −qs ) (qn+1 −1) (qs+1 −1) (qn −1)···(qn −qs−1 ) , v = , k = , r = (qs+1 −1)(qs+1 −q)···(qs+1 −qs ) (q−1) (q−1) (qs −1)···(qs −qs−1 ) , λ=
(qn+1 −q2 )···(qn+1 −qs ) (qs+1 −q2 )···(qs+1 −qs ) .
Theorem 11. The bipartite graph √ X (n, s, q) is a (r, k)regular bipartite Ramanujan graph with μ1 (X) = r − λ, and it is optimal expander graph with these parameters.
4.2
Optimal Bipartite Ramanujan Graphs of Aﬃne Geometries
Let IFq be the ﬁnite ﬁeld with q = pm elements. Let n ≥ 2 be an integer, and let s be an integer such that 1 ≤ s ≤ n − 1. We consider the incidence structure Y(n, s, q) = (V, B), where V = the points of the ndimensional aﬃne geometry EG(n, q), and B = {S dim S = s and S a subspace of EG(n, q)}. Proposition 5 (Hall [14]). The graph of the incidence structure Y(n, s, q) is a bipartite graph of a (v, b, r, k, λ) BIBD with parameters b = qn (qn −1)(qn −q)···(qn+1 −qs−1 ) (qn −1)(qn −q)···(qn+1 −qs−1 ) n s qs (qs −1)(qs+1 −q)···(qs −qs−1 ) , v = q , b = (qs −1)(qs+1 −q)···(qs −qs−1 ) , k = q , λ = (qn −q2 )···(qn −qs−1 ) (qs −q)···(qs+1 −qs−1 ) .
Theorem 12. The bipartite graph √ Y(n, s, q) is a (r, k)regular bipartite Ramanujan graph with μ1 (X) = r − λ, and it is optimal expander graph with these parameters.
5
Conclusion
In this article we have considered a special type of expander graphs coming from balanced incomplete block designs, in particular from ﬁnite geometries. We have shown that these yield optimal Ramanujan graphs. In a forthcoming paper, Janwa and Høholdt [17], we study the expander codes and LDPC codes that are derived from BIBD and codes based on ﬁnite aﬃne and projective geometric based bipartite graph and provide theoretical bounds on their parameters such as distance and rate, and derive some excellent codes.
62
T. Høholdt and H. Janwal
References 1. Alon, N.: Eigenvalues and expanders. Combinatorica 6, 83–96 (1986) 2. Alon, N., Bruck, J., Naor, J., Naor, M., Roth, R.M.: Construction of asymptotically good lowrate errorcorrecting codes through pseudorandom graphs. IEEE Trans. on Inform. Theory 38(2), 509–516 (1992) 3. Alon, N., Lubotzky, A., Wigderson, A.: Semidirect product in groups and zigzag product in graphs: Connections and applications. In: Proc. of the 42nd FOCS, pp. 630–637 (2001) 4. Barg, A., Zemor, G.: Error exponent of expander codes. IEEE Trans. Inform. Theory 48(6), 1725–1729 (2002) 5. Bass, H.: The IharaSelberg zeta function of a tree lattice. International Journal of Mathematics 3(6), 717–797 (1992) 6. Biggs, N.: Algebraic Graph Theory, 2nd edn. Cambridge University Press, Cambridge (1994) 7. Cvetkovic, D.M., Doob, M., Sachs, H.: Spectra of Graphs: Theory and Applications. Academic Press, London (1979) 8. David Forney, G.: Codes on graphs: recent progress. Phys. A 302(104), 1–13 (2001) 9. Frey, B.J., Koetter, R., Forney, G.D., Kschischang, F.R., McEliece, R.J., Spielman, D.A. (eds.): Special Issue on Codes on Graphs and Iterative Algorithms. IEEE Trans. Inform. Theory 47 (2001) 10. Friedman, J. (ed.): Expanding Graphs. DIMACS Series in Discrete Mathematics and Theoretical Computer Science, vol. 10. AMS (1993) 11. Godsil, C.D.: Algebraic Combinatorics. Chapman and Hall, Boca Raton (1993) 12. Guo, Q., Janwa, H.: Some properties of the zigzag product of graphs. In: Presented at the 2nd NASAEPSCoR meeting, November 10 (2003) (preprint) 13. Guruswami, V., Indyk, P.: ExpanderBased Construction of Eﬃciently Decodable Codes. In: 42nd IEEE Symposium on Foundation of Computer Science, October 1417, p. 658 (2001) 14. Hall Jr., M.: Combinatorial Theory, 2nd edn. Wiley Interscience in discrete Mathematics. Kluwer, Dordrecht (2003); Høholdt, T., Justesen, J.: Graph codes with ReedSolomon component codes (submitted) 15. Høholdt, T., Justesen, J.: Graph codes with ReedSolomon component codes. In: Proc. ISIT 2006, pp. 2002–2006 (2006) 16. Høholdt, T., Justesen, J.: Iterated analysis of iterated hard decision decoding of product codes with ReedSolom component codes. In: Proc. ITW 2007 (September 2007) 17. Høholdt, T., Janwa, H.: Characterization of some optimal expander graphs and their application to expander/LDPC codes (in preparation) 18. Horn, R.A., Johnson, C.R.: Matrix Analysis. Cambridge University Press, Cambridge (1992) 19. Janwa Jr., H.: “Relations among Expander Graphs, Codes, Sequence Design, and Their Applications. In: Proceedings of the 4th World Multiconference on Systemics, Cybernetics and Informatics (SCI 2000 and ISAS 2000), Orlando Florida, July 2326, vol. XI, pp. 122–124 (2000) 20. Janwa, H.: New (Explicit) Constructions of Asymptotic Families of Constant Degree Expander Graphs from Algebraic Geometric (AG) Codes and Their Applications to Tanner Codes. ABSTRACTS OF THE AMS 26(1), 197 (2005); Joint AMS annual Meeting, Atlanta, 2005; Special session on Algebraic Geometry and Codes
Optimal Bipartite Ramanujan Graphs
63
21. Janwa, H.: New Constructions of Sparse QuasiRandom Graphs (in preparation) 22. Janwa, H.: Further examples of Ramanujan graphs from AG codes (2003) (in preparation) 23. Janwa, H.: Covering radius of codes, expander graphs, and Waring’s problem over ﬁnite ﬁelds (in preparation) 24. Janwa, H.: A graph theoretic proof of the Delsarte bound on the covering radius of linear codes (preprint) 25. Janwa, H.: Good Expander Graphs and Expander Codes: Parameters and Decoding. In: Fossorier, M.P.C., Høholdt, T., Poli, A. (eds.) AAECC 2003. LNCS, vol. 2643, pp. 119–128. Springer, Heidelberg (2003) 26. Janwa, H., Lal, A.K.: “On Expander Graphs: Parameters and Applications (January 2001) (submitted), arXiv:cs.IT/0406048v1 27. Janwa, H., Lal, A.K.: On Tanner Codes: Parameters and Decoding. Applicable Algebra in Engineering, Communication and Computing 13, 335–347 (2003) 28. Janwa, H.: Explicit Constructions of Asymptotic Families of Constant Degree Expander Graphs from Algebraic Geometric (AG) Codes. Congressus Numerantium 179, 193–207 (2006) 29. Janwa, H., Lal, A.K.: On the Generalized Hamming Weights and the Covering Radius of Linear Codes. LNCS, vol. 4871, pp. 347–356. Springer, Heidelberg (2007) 30. Janwa, H., Mattson Jr., H.F.: “The Projective Hypercube and Its Properties and Applications. In: Proceedings of the 2001 International Symposium on Information Theory (ISIT 2001), Washington D.C., USA (June 2001) 31. Janwa, H., Moreno, O.: Strongly Ramanujan graphs from codes, polyphasesequences, and Combinatorics. In: Proceedings of the International Symposium on Information Theory (ISIT 1997), Ulm, Germany, p. 408 (1997) 32. Janwa, H., Moreno, O.: New Constructions of Ramanujan Graphs and Good Expander Graphs from Codes, Exponential Sums and Sequences. IMA Summer Program on Codes, Systems and Graphical Models (August 1999) 33. Janwa, H., Moreno, O.: Elementary constructions of some Ramanujan graphs. Congressus Numerantium (December 1995) 34. Janwa, H., Moreno, O.: “Coding theoretic constructions of some number theoretic Ramanujan graphs. Congressus Numerantium 130, 63–76 (1998) 35. Janwa, H., Moreno, O.: “Expander Graphs, Ramanujan Graphs, Codes, Exponential Sums, and Sequences (to be submitted) 36. Janwa, H., Moreno, O., Kumar, P.V., Helleseth, T.: Ramanujan graphs from codes over Galois Rings (in preparation) 37. Janwa, H., Rangachari, S.S.: Ramanujan Graphs. Lecture Notes. Preliminary Version (July 1994) 38. Kou, Y., Lin, S., Fossorier, M.P.C.: Lowdensity paritycheck codes based on ﬁnite geometries: a rediscovery and new results. IEEE Trans. Inform. Theory 47(7), 2711–2736 (2001) 39. Lin, S., Kou, Y.: A Geometric Approach to the Construction of Low Density Parity Check Codes. In: Presented at the IEEE 29th Communication Theory Workshop, Haynes City, Fla., May 710 (2001) 40. Lin, S., Kou, Y., Fossorier, M.: Finite Geometry Low Density Parity Check Codes: Construction, Structure and Decoding. In: Proceedings of the ForneyFest. Kluwer Academic, Boston (2000) 41. Li, W.C.W.: Character sums and abelian Ramanujan graphs. Journal of Number Theory 41, 199–217 (1992) 42. Lubotzky, A.: Discrete Groups, Expanding Graphs and Invariant Measures. Birkh¨ auser, Basel (1994)
64
T. Høholdt and H. Janwal
43. Lubotzky, A., Phillips, R., Sarnak, P.: Ramanujan Graphs. Combinatorica 8, 261– 277 (1988) 44. Margulis, G.A.: Explicit group theoretic constructions of combinatorial schemes and their applications for construction of expanders and superconcentrators. Journal of Problems of Information Transformation, 39–46 (1988) 45. Reingold, O., Vadhan, S., Wigderson, A.: Entropy waves, the zigzag graph product, and new constantdegree expanders. Ann. of Math. 155(1), 157–187 (2002) 46. Richardson, T., Urbanke, R.: The capacity of lowdensity parity check codes under messagepassing decoding. IEEE Trans. Inform. Theory 47(2), 569–618 (2001) 47. Richardson, T.J., Shokrollahi, M.A., Urbanke, R.: Design of capacityapproaching irregular lowdensity paritycheck codes. IEEE Trans. Inform. Theory 47(2), 619– 637 (2001) 48. Rosenthal, J., Vontobel, P.O.: Construction of LDPC Codes using Ramanujan Graphs and Ideas from Margulis. In: Allerton Conference (2000) 49. Roth, R.M., Skachek, V.: Improved nearly MDS codes. IEEE Trans. on Inform. Theory 52(8), 3650–3661 (2006) 50. Sarnak, P.: Some Applications of Modular Forms. Cambridge University Press, Cambridge (1990) 51. Sarnak, P.: What is... an Expander. Notices of the AMS 51(7), 762–763 (2004) 52. Shokrollahi, A.: Codes and graphs. In: Reichel, H., Tison, S. (eds.) STACS 2000. LNCS, vol. 1770, pp. 1–12. Springer, Heidelberg (2000) 53. Sipser, M., Spielman, D.A.: Expander codes. Codes and complexity. IEEE Trans. Inform. Theory 42(6, part 1), 1710–1722 (1996) 54. Spielman, D.A.: Lineartime encodable and decodable errorcorrecting codes. IEEE Trans. on Inform. Theory 42(6), 1710–1722 (1996) 55. Tanner, R.M.: Explicit concentrators from generalized N gons. SIAM J. of Discrete and Applied Mathematics 5, 287–289 (1984) 56. van Lint, J.H., Wilson, R.M.: A Course in Combinatorics, 2nd edn. Cambridge University Press, Cambridge (2001) 57. Tanner, R.M.: Minimumdistance bounds by graph analysis. IEEE Trans. Inform. Theory 47(2), 808–821 (2001) 58. Zemor, G.: On Expander Codes. IEEE Trans. Inform. Theory. IT47(2), 835–837 (2001)
Simulation of the SumProduct Algorithm Using Stratified Sampling John Brevik1 , Michael E. O’Sullivan2 , Anya Umlauf2 , and Rich Wolski3 1
California State University, Long Beach 1250 Bellﬂower Blvd. Long Beach CA 90840 2 Department of Mathematics and Statistics San Diego State University 5500 Campanile Dr. San Diego, CA, USA, 92182 3 Department of Computer Science University of California, Santa Barbara, CA 75275
Abstract. Using stratiﬁed sampling a desired conﬁdence level and a speciﬁed margin of error can be achieved with smaller sample size than under standard sampling. We apply stratiﬁed sampling to the simulation of the sumproduct algorithm on a binary lowdensity paritycheck code. Keywords: Sumproduct algorithm, stratiﬁed sampling, simulation.
1
Introduction
One of the mysterious aspects of decoding lowdensity paritycheck codes with the sumproduct algorithm is the error ﬂoor appearing in the performance curve. As is now well known, the performance of the SPA, measured in either biterrorrate or worderrorrate as a function of the signaltonoise ratio, tends to have two regions: a “waterfall” portion, where the curve descends ever more steeply until it reaches the second region, the “error ﬂoor,” where the curve ﬂattens out considerably. The change in descent has been attrributed to “nearcodewords” [4], also called trapping sets [5]. The error ﬂoor for ensembles of codes using erasure decoding and also maximum a posteriori (MAP) decoding are analyzed with sophisticated probabilistic techniques in [6, 3.24,4.14]. The analysis of the error ﬂoor for the SPA appears to be quite challenging. In particular, for individual codes, “the error ﬂoor does not concentrate [to the ensemble average] and signiﬁcant diﬀerences can arise among the individual members of an ensemble. It is therefore important to indentify ‘good elements’ of an ensemble” [6, p.266]. The error ﬂoor is important because it limits the utility of an LDPC code. In practice, it may be desirable to have assurance that the (bit) error rate at a particular signaltonoise ratio is lower than 10−10 , but simulation to achieve
This research was supported by NSF CCFTheoretical Foundations grants #0635382, #0635389 and #0635391.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 65–72, 2009. c SpringerVerlag Berlin Heidelberg 2009
66
J. Brevik et al.
a reasonable level of conﬁdence at this rate can be expensive. There are some methods to improve code constructions to lower the error ﬂoor see e.g. [3,1], but there is no clear theory to explain the error ﬂoor and no method to compute it for a particular LDPC code. Thus one might hope for improved methods of simulation. Our approach to this problem is based on the observation that with high probability, a received vector for input in the SPA has a very small number of badly corrupted bits and will decode successfully; to look at it another way, the input vectors that fail to decode are concentrated in a region of relatively low probability. In this article, we summarize how stratiﬁed sampling may be used to greatly reduce the sample size required for a desired conﬁdence level and margin of error. We apply stratiﬁed sampling to a particular LDPC code—a (3, 6) regular code of length 26—that is small but still interesting. The method reduces the number of samples required by roughly a factor of 70, at SNR 9.0, a margin of error of 20% of the error rate (which is roughly 4 × 10−6 ), and 95% conﬁdence level.
2
Stratified Sampling
In this section, we give a brief resum´e of the ideas behind stratified sampling, which is a method for reducing the variance in a sample (Cf. [2, Ch. 8] for a more complete account). We give a rather general treatment, provide some simple examples, and ﬁnally interpret the method in the context of blockerror rates for LDPC codes. 2.1
Theoretical Overview
Let (Ω, p) be a probability space, and let X be a realvalued random variable on Ω, which we will assume to have ﬁnite mean μ and variance σ 2 . We are interested in the problem of estimating the expected value μ = E(X) from a sample (x1 , x2 . . . , xr ) of size r taken from X. Provided that X is relatively well behaved ¯ has approximate distribution and that r is suﬃciently large, the sample mean X N (μ, σ 2 /r). Again with the same provisions, σ 2 is adequately approximated by the sample variance s2 , so √ we can obtain a reasonable conﬁdence interval for μ ∗ √ as (¯ x − z s/ r, x ¯ + z ∗ s/ r), where x ¯ is the mean obtained from our particular sample and z ∗ is an appropriate standardnormal critical value. Now suppose that Y is another random variable on Ω taking on the ﬁnite set Y1 , Y2 , . . . , Yk of values; we will refer to the events Y = Yk as strata of Ω. Suppose further that pk = p(Y = Yk ) is known or can be approximated eﬀectively. This suggests an alternate method for estimating μ from a sample of size r: Take of the variables Xj = XYj , a sample (x j1 , xj2 . . . , xjrj ) of size rj from each where r = rj , and take the weighted sum x ˆ= pj x ¯j of sample means. The ¯ j has approximate distribution N (E(XYj ), V (XYj )/rj ); note sample mean X that pj E(XYj ) = μ. If we again assume that the j th sample variance s2j adequately approximates thetrue variance V (XYj ), we ﬁnd that the variance ¯ j is approximately of pj X p2j s2j /rj .
Simulation of the SumProduct Algorithm Using Stratiﬁed Sampling
To ﬁnd the values of rj , subject to
67
rj = r that minimize the variance, use p2j s2j p s Lagrange multipliers: We ﬁnd that − 2 = λ for all j, so rj = r · jpijsi . The rj approximate value of the total variance of this estimator is thus p2j s2j p i si ( pj sj )2 Var xˆ ≈ . (1) = rpj sj r We note that the term “stratiﬁed sampling” is sometimes used for the speciﬁc case in which the ri are chosen to be proportional to the pi . In general, this approach also leads to some reduction in variance, simply because it controls one contributor to sampling variance, namely the variance in the sampling distribution of Y values. The approach outlined above clearly yields superior reduction in variance, based as it is on optimization. 2.2
An Example
Suppose that we wish to obtain an accurate estimate for the incidence of a certain gene in a population. Suppose further that the population is 70% white and 30% nonwhite, that we have obtained the approximate values of .01% incidence in the white population and 17% in the nonwhite population, and that these approximations provide acceptable values for the purposes of estimating sample variances. This gives an approximate value of .05107 for the proportion of the population with this gene, and the proportion for a “raw” sample of size r would .04846 .05107 · (1 − .05107) ≈ . thus have variance approximately r r Now write Y1 for the event that a member of the population is white and Y2 for the event√that s/he is nonwhite; then, in the notation established above, √ p1 = .7, s1 = .0001 · .9999 ≈ .01, so p1 s1 ≈ .007; and p2 = .3, s2 = .17 · .83 ≈ .3756, so p2 s2 ≈ .1127. The calculations above show that the optimal stratiﬁed .007 sample of size r takes r · ≈ .0585 from the white population and .007 + .1127 therefore about 94.15% of the total sample from the nonwhite population. The .0143 (.007 + .1127)2 = , an improvement sample variance in this scheme is r r by a factor of almost 3.4. In practical terms, √ the standard error (= standard deviation of the sample proportion) is about .0143 · .04846 ≈ .54 as large using stratiﬁed sampling as with the “raw” method. For a given sample size, then, stratiﬁcation allows us to obtain an estimate with just over half the margin of error; alternatively, it allows us to use a much smaller sample – about .3 as large, since the standard error decreases as the square root of the sample size – to obtain the same level of accuracy. We can gain even more advantage if the population can be further separated into strata with diﬀerent characteristics. Suppose that the nonwhite population breaks down as 25% AfricanAmerican and 5% AsianAmerican and that the gene has incidence about 1% in the AfricanAmerican population and about 97% in the AsianAmerican population. An analogous calculation to the above
68
J. Brevik et al.
calls for a sample that is about 17.3% white, 65.6% AfricanAmerican, and 21.1% .00163 AsianAmerican, and the total variance in this case comes out to about r – a further improvement by a factor of about 9 over the ﬁrst stratiﬁed example, and a further reduction by a factor of almost 3 in standard error. Compared to “raw” sampling, this ﬁnal stratiﬁed sampling scheme reduces the necessary sample size for a given margin of error by a factor of about 29.7. 2.3
Stratified Sampling with LDPC Codes
We now consider a code of length n with code symbols ±1 (i.e., {(−1)0 , (−1)1 }), transmitted across a Gaussian memoryless binary symmetric channel. In this setting the probability space Ω consists of all vectors (1 , 2 , . . . , n ), 0 < j < 1, where j is the likelihood of the value −1 at the j th bit, inferred by the decoder at the initial step based on the received value at that bit. For the purposes of simulation it is suﬃcient to restrict to the all1 codeword; see [6][Sec. 4.3]; by our assumptions, the components of Ω are iid and the distribution on each component can be calculated using normal distributions. Our random variable X of interest takes on the value 1 if the SPA decoder does not produce the all 1 codeword and 0 otherwise, so E(X) is the frameerror rate (FER) of the code. We can compute the density function for i under the assumption that the all1 codeword was sent. Let T1 stand for the input at a bit given that a 1 is transmitted. T1 is distributed according to the Gaussian N1 (t) =
√1 e− σ 2π
(t−1)2 2σ2
. Similarly, if a −1 is (t+1)2
transmitted, the input T−1 is distributed according to N−1 (t) = σ√12π e− 2σ2 . t (−1) N−1 (t) Now, for a given input value t, the likelihood ratio is given by = t (1) N1 (t) 2t e− σ2 , and therefore the likelihood r(t) that a −1 was sent is equal to 2t
e− σ 2 1 t (−1) = − 2t = 2t . 2 t (−1) + t (0) e σ +1 1 + e σ2 Note that q = r(t) isa strictly decreasing function of t, and we can solve for 1−q σ2 t to obtain t = 2 ln q . Now, under the assumption that a 1 was actually transmitted, for any q in the interval (0, 1), the distribution function FQ (q) is given by 1−q σ2 ln FQ (q) = P (Q ≤ q) = P T1 ≥ 2 q σ 1−q T1 − 1 1 ≥ ln FQ (q) = P − σ 2 q σ ⎡ ⎛ ⎞⎤ 1−q σ 1 − ln 2 q σ 1 ⎠⎦ √ (2) FQ (q) = 1 − ⎣ ⎝1 + erf 2 2
Simulation of the SumProduct Algorithm Using Stratiﬁed Sampling
69
x 2 2 where erf is the the error function,’ deﬁned by erf(x) = √ e−u du so π 1 √ 1 that (1 + erf(X/ 2)) is the distribution function for the standard normal, any 2 particular value of which can be well approximated. Now, set some threshold value t1 above which a likelihood j is to be considered “high,” and stratify the set of likelihood vectors by the number of high entries contained in each, so that our variable Y takes on the values 0, 1, . . . , n corresponding to the number of high values in a vector. Note that pj = p(Y = j) is relatively straightforward to calculate from the distribution on and binomial coeﬃcients. This situation is a prime candidate for stratiﬁed sampling, because the strata corresponding to large j have a much higher incidence of decoding failure than those with low jvalues. We then carry out sampling as follows: For a given j, choose randomly the j “high” positions; then sample from the conditional density > t1 in these places and from the conditional density < t1 in the others. Of course, the threshold t1 is a parameter in this scheme. More generally, in fact, one can deﬁne multiple thresholds t1 < t1 < · · · < tm , deﬁne tm+1 = 1, and stratify Ω by the mtuple of integers (y1 , y2 , . . . , ym ) where yj is the number of entries falling between tj and tj+1 , so that n − y1 − · · · − ym is the number of entries between 0 and t1 . Because the large sample sizes required to get meaningful estimates for error rates incurs a high cost in terms of time and compute cycles, our purpose for stratiﬁed sampling is not to obtain a superior estimate of blockerror rate for a given sample size but rather to obtain an equally accurate estimate with a smaller sample size. In the next section, we show for a speciﬁc code the amount of samplesize reduction that is possible with stratiﬁed sampling.
3
Application
We applied stratiﬁed sampling to a (3, 6) regular graph with 26 bit nodes and 13 check nodes. The girth of the graph is 6. We simulated the sumproduct algorithm for signal to noise ratios from 5 to 9, over which range the output FER drops from roughly 10−2 to 5 × 10−6 . We want to estimate block error ˆ Let r˜ be rate with a 95% conﬁdence level and within 20% of the estimate θ. the sample size needed for the stratiﬁed sampling, and let r be the sample size needed for standard sampling. We are interested in comparing these values. We chose the threshold t1 to be 0.5. As described above, the probability space Ω is stratiﬁed by the number j of high values in the where j varies from jvector, 26−j 0 to 26. The probability of the jth stratum is 26 , where q is the j q (1 − q) probability, calculated as above, that any given received value is over 0.5. The vast majority of strata have very low probability and may be ignored. ˆ = σ2 , where For regular sampling, variance of θˆ can be calculated with Var(θ) r ˆ Sample size required for the standard sampling can be σ 2 is estimated by θˆ·(1− θ). 2 2 zα σ 2 ˆ calculated with r = M 2 , where σ is the variance of θ and M is margin of error.
70
J. Brevik et al.
ˆ With stratiﬁed sampling, variance of θ is found as in Equation 1 above: ( j pj sj )2 ˆ ≈ , where sj = θˆj · (1 − θˆj ). The relative sample sizes for Var(θ) r˜
a given margin of error is then given by ˆ θˆ · (1 − θ) r = . r˜ ( j pj sj )2 Note that this ratio is independent of the desired margin of error. In order to use stratiﬁed sampling for the problem of estimating FER, we ﬁrst need to obtain an approximate value for the FER within each stratum in Table 1. Data for several strata at each SNR SNR M 2 stratum j θˆ 5 9.50e03 3.61e06 0 1 2 3 4 5 6 Total 6 3.36e03 4.52e07 0 1 2 3 4 5 Total 7 6.57e04 1.73e08 0 1 2 3 4 5 Total 8 8.65e05 2.99e10 0 1 2 3 4 Total 9 4.84e06 9.36e13 0 1 2 3 4 Total
pj 3.68e01 3.75e01 1.84e01 5.75e02 1.29e02 2.23e03 3.06e04
θˆj 1.00e10 1.04e03 1.28e02 6.19e02 1.70e01 4.05e01 3.33e01
sj 1.00e05 3.22e02 1.12e01 2.41e01 3.76e01 4.91e01 4.71e01
5.46e01 3.34e01 9.84e02 1.85e02 2.51e03 2.60e04
1.00e10 3.50e04 1.61e02 6.67e02 1.44e01 2.46e01
1.00e05 1.87e02 1.26e01 2.49e01 3.51e01 4.31e01
7.19e01 2.38e01 3.80e02 3.87e03 2.84e04 1.59e05
1.00e10 1.70e04 7.31e03 7.27e02 1.90e01 1.96e01
1.00e05 1.30e02 8.52e02 2.60e01 3.92e01 3.97e01
8.55e01 1.34e01 1.01e02 4.90e04 1.70e05
1.00e10 3.31e05 4.48e03 6.86e2 1.78e01
1.00e05 5.75e03 6.68e02 2.53e01 3.83e01
9.39e01 5.91e02 1.79e03 3.46e05 4.81e07
1.00e10 7.57e06 1.54e03 4.36e02 2.63e01
1.00e05 2.75e03 3.93e02 2.04e01 4.40e01
p j × sj 3.68e06 1.21e02 2.06e02 1.39e02 4.87e03 1.20e03 1.44e04 5.27e02 5.46e06 6.25e03 1.24e02 4.62e03 8.81e04 1.12e04 2.43e02 7.19e06 3.11e03 3.24e03 1.01e03 1.12e04 6.32e06 7.48e03 8.55e06 7.73e04 6.77e04 1.24e04 6.51e06 1.59e03 9.39e06 1.63e04 7.01e05 7.06e06 2.12e07 2.49e04
rj 1 677 1,155 776 273 62 9 2,953 2 1,289 2,553 953 182 24 5,003 12 5,170 5,382 1,674 186 11 12,435 175 15,748 13,806 2,525 133 32,387 9,610 166,289 71,753 7,220 217 255,089
Simulation of the SumProduct Algorithm Using Stratiﬁed Sampling
71
Table 2. Summarized data for each SNR ˆ · θˆ ( pj sj )2 ratio SNR r r˜ θˆ (1 − θ) j 5 9.50e03 9.41e03 2.77e03 3 10,011 2,953 6 3.36e03 3.35e03 5.89e04 6 28,466 5,003 7 6.57e04 6.57e04 5.59e05 12 146,065 12,435 8 8.65e05 8.65e05 2.52e06 34 1,109,868 32,387 9 4.84e06 4.84e06 6.21e08 78 19,855,359 255,089 Z2 p s order to set the sample sizes rj = ( jpjjsj )˜ r = pj sj Mα2 ( j pj sj ). We do this j by taking relatively small samples; note that any sampling error has only the “secondorder” eﬀect of changing the estimated standard error s2j , so we expect the ﬁnal outcome to be fairly robust to this type of error. Given these estimates, select rj vectors from each stratum j at random. This can be achieved in practice by ﬁrst randomly choosing j bit positions for “high” values and then sampling “high” values and “low” values by conditioning the distribution according to Equation 2. The estimated value for the frameerror rate is θˆ = j pj θˆj . For all included strata, sample sizes mj are shown in Table 1. Table 2 shows how much samplesize reduction can be achieved with stratiﬁed sampling, together with calculated sample sizes needed for standard and stratiﬁed sampling for a margin of error approximately 20% of the FER. At SNR 5 the reduction ratio is approximately 3; however, as SNR increases this ratio also increases. For example, standard sampling for SNR9 requires almost 20 million units, whereas stratiﬁed sampling needs only 255 thousand, reducing sample size by a factor of approximately 77.
4
Conclusions and Future Work
The results shown here indicate that stratiﬁed sampling is an eﬀective strategy for reducing sample size necessary to estimate decoder performance on an LDPC code at high SNR, within a speciﬁed margin of error. At this stage, there are a number of clear paths for future examination. First, a length26 code is far to short to have any realworld value, so it is necessary to validate these results with longer codes. We have begun testing codes of length 282 using massively parallel batch jobs on the Condor pool 1 [7], 1
Condor provides (among many features) the ability to “harvest” computing cycles from idle computers that are connected to the Internet. For these experiments, we use a Condor pool located in the Computer Science Department at the University of California, Santa Barbara consisting of approximately 100 machines. In addition, the Condor Project at the University of Wisconsin allows UCSB’s Condor pool to “oﬀload” work that exceeds the available idle machine capacity; thus each experiment had available to it up to 300 machines for the purpose of computing each Monte Carlo simulation. The ability to harvest unused cycles and loadshare between institutions made the investigation feasible in a short span of time.
72
J. Brevik et al.
and it is already evident from preliminary results that it will be necessary to adjust the cutoﬀ value q = 0.5; while we have achieved a speedup by a factor of 5 or so using such adjustments, it is not clear that the straightforward approach used for the length26 code will achieve such dramatic results. However, there are a number of ways in which the stratiﬁcation scheme can be made more sophisticated. As discussed earlier, one can use multiple thresholds, t1 < t2 < · · · < tm . For example, with m = 2, we could associate to each vector of likelihoods an ordered pair (a, b), where a stands for the number of values between, say, 0.5 and 0.9 and b stands for the number of values greater than 0.9. Probabilities of the various strata can still be calculated with binomial coeﬃcients, and sampling can still be done with linear conditioning on randomnumber generators. Another possibility is to stratify based on the proximity of highvalued bits on the associated graph; intuitively, if highvalued bits are close together (e.g. sharing a check), the bits’ inaccurate values tends to reinforce one another and aﬀect nearby bit estimates in the SPA. We note that our method can be adapted to biterror rate (BER), which in some applications is a more suitable measure for decoding error than FER. In fact, a stratiﬁed method would likely work even better here, since the lowprobability badly behaved strata will likely have much more variance in the number of errors per word than the highprobability strata and will therefore contribute proportionally more to the variance of the BER estimator. As was kindly pointed out by one of the referees, the general framework of stratiﬁed sampling may well apply to a wide variety of communications systems, which typically lack precise analytical means for error analysis and therefore rely on sampling. While our experience is mainly in LDPC codes, exploring this broader applicability may lead to better and more general results.
References 1. Xu, J., Chen, L., Djurdjevic, I., Lin, S., AbdelGhaﬀar, K.: Construction of regular and irregular LDPC codes: geometry decomposition and masking. IEEE Trans. Inform. Theory 53, 121–134 (2007) 2. Ross, S.M.: Simulation, 4th edn. Elsevier Academic Press, Amsterdam (2006) 3. Tian, T., Jones, C., Villasenor, J.D., Wesel, R.D.: Construction of irregular LDPC codes with low error ﬂoors. In: IEEE International Conference on Communications, vol. 5, pp. 3125–3129 (2003) 4. MacKay, D.J.C., Postol, M.J.: Weaknesses of Margulis and Ramanujan–Margulis lowlensity paritycheck codes. In: Proc. of MFCSIT 2002, Galway. Electronic Notes in Theoretical Computer Science, vol. 74. Elsevier, Amsterdam (2003) 5. Richardson, T.: Error ﬂoors of LDPC codes. In: Proc. of 41st Allerton Conf., Monticello, IL (September 2003) 6. Richardson, T., Urbanke, R.: Modern Coding Theory. Cambridge University Press, Cambridge (2008) 7. Tannenbaum, T., Litzkow, M.: The Condor Distributed Processing System. Dr. Dobbs Journal (February 1995)
A Systems Theory Approach to Periodically TimeVarying Convolutional Codes by Means of Their Invariant Equivalent JoanJosep Climent1 , Victoria Herranz2 , Carmen Perea2, and Virtudes Tom´ as1, 1
Departament de Ci`encia de la Computaci´ o i Intel·lig`encia Artiﬁcial Universitat d’Alacant Campus de Sant Vicent del Raspeig, Ap. Correus 99, E03080 Alacant, Spain 2 Centro de Investigaci´ on Operativa Departamento de Estad´ıstica, Matem´ aticas e Inform´ atica Universidad Miguel Hern´ andez Avenida de la Universidad s/n, E03202 Elche  Alicante, Spain
Abstract. In this paper we construct (n, k, δ) timevariant convolutional codes of period τ . We use the systems theory to represent our codes by the inputstateoutput representation instead of using the generator matrix. The obtained code is controllable and observable. This construction generalizes the one proposed by Ogasahara, Kobayashi, and Hirasawa (2007). We also develop and study the properties of the timeinvariant equivalent convolutional code and we show a lower bound for the free distance in the particular case of MDS block codes. Keywords: Timevarying convolutional codes, controllability, observability, free distance.
1
Introduction
Convolutional codes [6, 10, 14] are an speciﬁc class of error correcting codes that can be represented as timeinvariant discrete linear systems over a ﬁnite ﬁeld [19]. They are used in phone data transmission, radio or mobile communication systems and in image transmissions from satellites [11, 13]. Convolutional coding is the main error correcting technique in data transmission applications due to its easy implementation and nice performance in random error channels [12, 23]. While it is usual for block codes to have the minimum distance guaranteed, for convolutional codes it is common to ﬁnd out the minimum free distance by a
This work was partially supported by Spanish grants MTM200806674C0201 and MTM200806674C0202. The work of this author was also supported by a grant of the Vicerectorat d’Investigaci´ o, Desenvolupament i Innovaci´ o of the Universitat d’Alacant for PhD students.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 73–82, 2009. c SpringerVerlag Berlin Heidelberg 2009
74
J.J. Climent et al.
code search. Since the required computation in a code search grows exponentially with the number of delay elements of a code, this code search of the minimum free distance can become diﬃcult. As well, the computational requirements of the decoding increase with the amount of delay elements δ. In the construction proposed in this paper we will see that δ does not increase, what can reduce decoding computation [17]. The rest of the paper is organized as follows. In Section 2 we provide all the necessary concepts about convolutional codes to follow the rest of the paper. In Section 3 we give initial knowledge about periodically time variant convolutional codes and we construct the timeinvariant equivalent one. In Subsection 3.1 we develop the minimality conditions for the constructed code, and in Subsection 3.2 we study suﬃcient conditions for the timeinvariant code to be controllable and observable when this is formed by (n, 1, 1) or (n, n − 1, 1) codes. In Section 4 we give a lower bound on the free distance. Finally, we provide some conclusions and future research lines in Section 5.
2
Preliminaries
Let F be a ﬁnite ﬁeld. A rate k/n convolutional code C is a submodule of Fn [z] that can be described (see [21, 25]) as C = v(z) ∈ Fn [z]  v(z) = G(z)u(z) with u(z) ∈ Fk [z] where u(z) is the information vector or information word, v(z) is the code vector or code word and G(z) is an n×k polynomial matrix with rank k called generator or encoding matrix of C. The complexity δ of C is the maximum of the degrees of the determinants of the k × k submatrices of any generator matrix of C. We call C an (n, k, δ) convolutional code (see [14]). We can describe an (n, k, δ) convolutional code C by means of the system xt+1 = Axt + But (1) , t = 0, 1, 2, . . . ; x0 = 0 y t = Cxt + Dut yt where A ∈ Fδ×δ , B ∈ Fδ×k , C ∈ F(n−k)×δ , D ∈ F(n−k)×k and v t = . ut The four matrices (A, B, C, D) are called the inputstateoutput representation of the code C. This representation was introduced in [21] and has been used in the last years to analyze and construct convolutional codes [1, 4, 5, 9, 18, 19, 21, 25]. For each positive integer j let us deﬁne the matrices ⎤ ⎡ C ⎢ CA ⎥ ⎥ ⎢ ⎥ ⎢ j−2 j−1 Φj (A, B) = B AB · · · A B A B and Ωj (A, C) = ⎢ ... ⎥ . ⎥ ⎢ ⎣ CAj−2 ⎦ CAj−1
A Systems Theory Approach
75
Definition 1. Let A and B be matrices of sizes δ × δ and δ × k, respectively. The pair (A, B) is controllable if rank(Φδ (A, B)) = δ. If (A, B) is a controllable pair, then the smallest integer κ such that rank(Φκ (A, B)) = δ is the controllability index of (A, B). Definition 2. Let A and C be matrices of sizes δ × δ and (n − k) × δ, respectively. The pair (A, C) is observable if rank(Ωδ (A, C)) = δ. If (A, C) is an observable pair, then the smallest integer ν such that rank(Ων (A, C)) = δ is the observability index of (A, C). An important distance measures of a convolutional code is the free distance ∞ ∞ df ree (C) = min wt(ut ) + wt(y t ) u0 =0
t=0
t=0
where wt(·) denotes the Hamming weight of a vector. Rosenthal and Smarandache [20] gave a generalization of the Singleton bound for block codes. Theorem 1 (Theorem 2.2 of [20]). If C is a (n, k, δ)code over any field F, then δ + 1 + δ + 1. (2) df ree (C) ≤ (n − k) k This bound is known as the generalized Singleton bound. Analogously to block codes, we say that a (n, k, δ)code is maximum distance separable (MDS) if the free distance attains the generalized Singleton bound.
3
Periodically TimeVariant Convolutional Codes
In this section we deﬁne periodically timevarying convolutional codes and explain the concrete characteristics of our construction. Let us assume that the matrices At , Bt , Ct and Dt at time t are of sizes δ × δ, δ × k, (n − k) × δ and (n − k) × k, respectively. A timevariant convolutional code can be deﬁned by means of the system xt+1 = At xt + Bt ut (3) , t = 0, 1, 2, . . . x0 = 0 y t = Ct xt + Dt ut The deﬁned timevariant convolutional code is a dynamical system which can have a minimal representation, that is, a representation where the matrices have the smallest size possible. It is known that the realization (A, B, C, D) of a linear system is minimal if and only if (A, B) is a controllable pair and (A, C) is an observable pair [2]. In Subsection 3.1 and 3.2 we will study the conditions for our code to have a minimal representation. If the matrices change periodically with periods τA , τB , τC and τD respectively, (that is, AτA +t = At , BτB +t = Bt , CτC +t = Ct and DτD +t = Dt for
76
J.J. Climent et al.
all t) then we have a periodically timevarying convolutional code of period τ = lcm (τA, τB , τC , τD ). Any periodic timevarying convolutional code is equivalent to an invariant one [3, 15, 16]. Relating every state and every output to previous states, we can always rewrite any block of τ iterations at a given time j as xτ (j+1) = Aτ −1,0 xτ j
⎡
⎢ ⎢ + Aτ −1,1 B0 Aτ −1,2 B1 . . . Aτ −1,τ −1Bτ −2 Bτ −1 ⎢ ⎣ ⎡
yτ j y τ j+1 .. .
⎢ ⎢ ⎢ ⎣
y τ j+τ −1 ⎡
⎤
⎡
⎥ ⎥ ⎥, ⎦
uτ j+τ −1
⎤
C0 C1 A0,0 C2 A1,0 .. .
⎢ ⎥ ⎢ ⎥ ⎢ ⎥=⎢ ⎦ ⎢ ⎣
⎤
uτ j uτ j+1 .. .
⎥ ⎥ ⎥ ⎥ xτ j ⎥ ⎦
Cτ −1 Aτ −2,0
D0 C1 B0 C2 A1,1 B0 .. .
O D1 C2 B1 .. .
... ... ...
O O O .. .
O O O .. .
⎤
⎡ ⎤ ⎥ ⎢ uτ j ⎥ ⎢ ⎥ ⎢ uτ j+1 ⎥ ⎢ ⎥⎢ ⎥ ⎢ +⎢ ⎥⎢ ⎥ .. ⎥⎣ ⎢ ⎦ . ⎥ ⎢ ⎣ Cτ −2 Aτ −3,1 B0 Cτ −2 Aτ −3,2 B1 . . . Dτ −2 O ⎦ uτ j+τ −1 Cτ −1 Aτ −2,1 B0 Cτ −1 Aτ −2,2 B1 . . . Cτ −1 Bτ −2 Dτ −1 where Ai,j
Ai Ai−1 · · · Aj+1 Aj , = Ai ,
This system can be written as Xj+1 = AXj + BUj Yj = CXj + DUj where A = Aτ −1,0 ,
if i = j, if i = j. (4)
B = Aτ −1,1 B0 Aτ −1,2 B1 . . . Aτ −1,τ −1 Bτ −2 Bτ −1 ,
⎡ ⎤ D0 O C0 ⎢ D1 C1 B0 ⎢ ⎢ C1 A0,0 ⎥ ⎢ C2 A1,1 B0 ⎥ ⎢ C2 B1 ⎢ ⎥ ⎢ C = ⎢ C2 A1,0 ⎥ , D = ⎢ .. .. ⎢ ⎥ ⎢ .. . . ⎢ ⎦ ⎣ . ⎣ Cτ −2 Aτ −3,1 B0 Cτ −2 Aτ −3,2 B1 Cτ −1 Aτ −2,0 Cτ −1 Aτ −2,1 B0 Cτ −1 Aτ −2,2 B1 ⎡
⎡ Xj = xτ j ,
⎢ ⎢ Yj = ⎢ ⎣
yτ j y τ j+1 .. . y τ j+τ −1
⎤ O O O O ⎥ ⎥ O O ⎥ ⎥ .. .. ⎥ , . . ⎥ ⎥ ... Dτ −2 O ⎦ . . . Cτ −1 Bτ −2 Dτ −1
... ... ...
⎤
⎡
⎥ ⎥ ⎥ ⎦
⎢ ⎢ and Uj = ⎢ ⎣
uτ j uτ j+1 .. . uτ j+τ −1
⎤ ⎥ ⎥ ⎥. ⎦
A Systems Theory Approach
77
System (4) is the timeinvariant convolutional code equivalent to the periodic timevarying system (3). Our particular construction replaces matrices At and Dt by ﬁxed matrices A and D, respectively, for all t. Then, expression (3) turns into xt+1 = Axt + Bt ut , t = 0, 1, 2, . . . , (5) y t = Ct xt + Dut and matrices A, B, C and D of system (4) become A = Aτ , B = Aτ −1 B0 Aτ −2 B1 . . . ABτ −2 Bτ −1 , ⎡ ⎢ ⎢ C=⎢ ⎣
C0 C1 A .. .
Cτ −1 Aτ −1
3.1
⎤ ⎥ ⎥ ⎥, ⎦
⎡
D C1 B0 C2 AB0 .. .
O D C2 B1 .. .
... ... ...
O O O .. .
⎢ ⎢ ⎢ ⎢ D=⎢ ⎢ ⎢ ⎣ Cτ −2 Aτ −3 B0 Cτ −2 Aτ −4 B1 . . . D Cτ −1 Aτ −2 B0 Cτ −1 Aτ −3 B1 . . . Cτ −1 Bτ −2
⎤ O O⎥ ⎥ O⎥ ⎥ .. ⎥ . . ⎥ ⎥ O⎦ D
Minimality Conditions
In this subsection we study conditions for the controllability and observability of the new equivalent timeinvariant convolutional code of our construction. Theorem 2. If τ k ≥ δ and the matrices Bj , for j = such 0, 1, . . . , τ − 1, are that Bj = A−(τ −j−1) Ej , being Ej ∈ Fδ×k with E = E0 E1 . . . Eτ −1 a full rank matrix, then the system defined by expression (4) is controllable. Proof. According to the form of the controllable matrix in (5) we have that Φδ (A, B) = B AB . . . Aδ−1 B = E Aτ E . . . A(δ−1)τ E which is clearly a full rank matrix. So, the system (4) is controllable.
Similarly, we have the following result for the observability. Here we denote by M T the transpose matrix of M . Theorem 3. If τ (n − k) ≥ δ and the matrices Cj , for j = 0, 1, . . . , τ − 1, are T such that Cj = Fj A−j , being Fj ∈ F(n−k)×δ with F = F0T F1T . . . FτT−1 a full rank matrix, then the system defined by expression (4) is observable. Note that if we choose Bj and Cj as in Theorems 2 and 3, then we ensure the minimality of the new invariant system. Moreover, taking A = Iδ , E as the parity check matrix of a block code, and F T such that Fj is the submatrix of I = I I I . . . formed by the rows j(n− k)+ l for l = 1, 2, . . . , n − k, then we obtain the periodically timevariant convolutional code proposed in [17]. So, our construction generalizes that case.
78
3.2
J.J. Climent et al.
Minimality for Generic Periodic TimeVariant Convolutional Codes
Let us now return to the general case given by expression (3). Another representation of the timeinvariant equivalent code is the following statespace form (see [7]): xt (h) + But (h) R(λ) xt (h) = A t (h) + Dut (h) y t (h) = C x where
⎡
⎢ ⎢ ut (h) = ⎢ ⎣
ut+hτ ut+hτ +1 .. .
⎤ ⎥ ⎥ ⎥, ⎦
⎡ ⎢ ⎢ y t (h) = ⎢ ⎣
y t+hτ y t+hτ +1 .. .
⎤ ⎥ ⎥ ⎥, ⎦
⎡ ⎢ ⎢ t (h) = ⎢ x ⎣
xt+hτ xt+hτ +1 .. .
⎤ ⎥ ⎥ ⎥ ⎦
ut+hτ +τ −1 y t+hτ +τ −1 xt+hτ +τ −1 O I(τ −1)δ and R(λ) = where λ denotes the onestepforward time operator λIδ O in the variable h and O denotes the null matrix of the appropriate size. The matrices A, B, C and D are now blockdiagonal matrices deﬁned as A = diag (A0 , A1 , . . . , Aτ −1 ) , B = diag (B0 , B1 , . . . , Bτ −1 ) , C = diag (C0 , C1 , . . . , Cτ −1 ) and D = diag (D0 , D1 , . . . , Dτ −1 ) . A − R(λ) i 0 , then the folIf we deﬁne P (λ) = A − R(λ) B and P (λ) = C lowing theorem, which will be useful for the proofs of further results, holds also for ﬁnite ﬁelds. Theorem 4 ([7]). The periodic system (3) is controllable (respectively, observable) if and only if the matrix P i (λ) (respectively, P 0 (λ)) has full row (respectively, column) rank for all λ ∈ C. For the case where the subsystems forming the periodically timevarying convolutional code are (n, 1, 1)codes or (n, n − 1, 1)codes we have the following result. Theorem 5. If the periodically timevarying convolutional code is generated by τ controllable and observable (n, 1, 1)codes (or (n, n − 1, 1)codes), then the periodically timevarying convolutional code obtained is as well controllable and observable. Proof. We will develop the proof for the case (n, 1, 1). In this case ⎤ ⎡ ⎡ ct,0 dt,0 ⎢ ct,1 ⎥ ⎢ dt,1 ⎥ ⎢ ⎢ At = [at ], Bt = [bt ], Ct = ⎢ . ⎥ , and Dt = ⎢ . ⎣ .. ⎦ ⎣ .. ct,n−2
dt,n−2
⎤ ⎥ ⎥ ⎥. ⎦
A Systems Theory Approach
79
Following the previous theorem, our periodic system is controllable if and only if the matrix ⎤ ⎡ a0 −1 0 . . . 0 0 b0 0 . . . 0 ⎢ 0 a1 −1 . . . 0 0 0 b1 . . . 0 ⎥ ⎥ ⎢ ⎢ .. . . . . .. .. .. ⎥ i .. .. .. .. P (λ) = A − R(λ) B = ⎢ . . . . ⎥ ⎥ ⎢ ⎣ 0 0 0 . . . 0 −1 0 0 . . . 0 ⎦ −λ 0 0 . . . 0 aτ −1 0 0 . . . bτ −1 has full row rank. To ensure that this matrix has full rank we will check that bi = 0 for i = 0, 1, . . . , τ − 1. For every subsystem we have that controllability by Popov holds. Then BelevitchHautus test (see [8]) it holds that rank( zI − ai bi ) = 1 for every eigenvalue z of [ai ] and i = 0, 1, . . . , τ − 1. Since the only eigenvalue of [ai ] is z = ai then it must hold that bi = 0. Thus the matrix P i (λ) has full rank and the periodic timevarying convolutional code is controllable. On the other hand, by the previous result, our periodic system is observable if and only if the matrix ⎤ ⎡ a0 −1 0 ... 0 0 ⎥ ⎢ 0 0 a1 −1 . . . 0 ⎥ ⎢ .. .. .. .. ⎥ ⎢ .. ⎥ ⎢ . . . . . ⎥ ⎢ ⎥ ⎢ 0 0 0 . . . 0 −1 ⎥ ⎢ ⎢ −λ 0 0 . . . 0 a τ −1 ⎥ ⎥ ⎢ ⎥ ⎢ c0,0 0 0 ... 0 0 ⎥ ⎢ ⎥ ⎢ c0,1 0 0 0 0 ⎥ ⎢ ⎥ ⎢ .. .. .. .. .. ⎥ ⎢ . . . . . ⎥ ⎢ A − R(λ) 0 ⎥ ⎢ 0 0 ... 0 0 = ⎢ c0,n−2 P (λ) = ⎥ C ⎥ ⎢ 0 c1,0 0 ... 0 0 ⎥ ⎢ ⎥ ⎢ 0 0 ... 0 0 c1,1 ⎥ ⎢ ⎥ ⎢ . .. .. .. .. ⎥ ⎢ .. . . . . ⎥ ⎢ ⎥ ⎢ 0 0 c1,n−2 0 . . . 0 ⎥ ⎢ ⎢ 0 0 0 . . . 0 cτ −1,0 ⎥ ⎥ ⎢ ⎢ 0 0 0 . . . 0 cτ −1,1 ⎥ ⎥ ⎢ ⎥ ⎢ . .. .. .. .. ⎦ ⎣ .. . . . . 0 0 0 . . . 0 cτ −1,n−2 has full column rank. To ensure that this matrix has full rank we will check that for each i = 0, 1, . . . , τ − 1 there exist at least one j such that ci,j = 0. For every subsystem we assumed that⎛observability ⎤⎞ holds. Again by Popov⎡ zI − ai ⎜⎢ ci,0 ⎥⎟ ⎥⎟ ⎜⎢ ⎥⎟ ⎜⎢ BelevitchHautus test it holds that rank ⎜⎢ ci,1 ⎥⎟ = 1 for every eigenvalue ⎥⎟ ⎜⎢ .. ⎦⎠ ⎝⎣ . c1,n−2
80
J.J. Climent et al.
z of [ai ] and i = 0, 1, . . . , τ − 1. Then it must exist at least one j such that ci,j = 0. Thus the matrix P 0 (λ) has full rank and the periodic timevarying convolutional code is observable. The proof for the case (n − 1, n, 1) is analogous.
4
Free Distance
In this section we obtain a lower bound on the free distance of the periodic timevarying code by means of the free distance of the invariant equivalent associated, due to the fact that both are the same (see [24]). Theorem 6 (Theorem 3.1 of [22]). Let C be an observable, rate k/n, degree δ, convolutional code defined through the matrices A, B, C and D. Let ν be the observability index of the pair (A, C) and suppose that there exists d ∈ Z+ such that Φdν (A, B) forms the paritycheck matrix of a block code of distance d. Then the free distance of C is greater than or equal to d. Now we have the following result. Theorem 7. If the matrix Φdν (A, B) = B AB . . . Adν−1 B represents the paritycheck matrix of an MDS block code of distance d, then df ree ≥ δ + 1. Proof. Let P = Aτ −1 B0 Aτ −2 B1 . . . Bτ −1 . The matrix B AB . . . Adν−1 B = P Aτ P . . . A(dν−1)τ P has size δ ×τ kdν. Since the paritycheck matrix of a block code is a matrix of size (N −K)×N , we have that the parameters of the block code are [τ kdν, τ kdν−δ, d]. The block code is MDS so the distance d achieves the Singleton bound N −K +1. Then we have df ree (C) ≥ d = τ kdν − τ kdν + δ + 1 = δ + 1.
Note that if df ree (C) = δ + 1, then C cannot be an MDS convolutional code since, in order to attain the generalized Singleton bound, n = k should hold.
5
Conclusion
In this paper we propose a new method for constructing periodically timevariant convolutional codes. We study the minimality conditions of the new system and state some results about the dependence between the controllability and observability of the subsystems and the minimality of the timeinvariant equivalent one. We also study the general case for particular forming subsystems. A lower bound on the free distance is as well given using the fact that both codes have the same df ree . As it is shown in this construction, the number of delay elements remains as δ. This fact makes that the decoding complexity of the new timevarying code
A Systems Theory Approach
81
does not increase respect to the complexity of the subsystems. This gives us a lower complexity of the arithmetic circuits when implementing the model. As future research lines we will study the properties of the timeinvariant convolutional code depending on the properties of the subsystems forming the periodically timevariant convolutional one; we will attempt to construct MDS convolutional codes and maximum distance proﬁle (MDP) convolutional codes, which are an optimum subclass.
References [1] Allen, B.M.: Linear Systems Analysis and Decoding of Convolutional Codes. Ph.D thesis, Department of Mathematics, University of Notre Dame, Indiana, USA (June 1999) [2] Antsaklis, P.J., Michel, A.N.: Linear Systems. McGrawHill, New York (1997) [3] Balakirsky, V.B.: A necessary and suﬃcient condition for timevariant convolutional encoders to be noncatastrophic. In: Cohen, G.D., Litsyn, S., Lobstein, A., Z´emor, G. (eds.) Algebraic Coding 1993. LNCS, vol. 781, pp. 1–10. Springer, Heidelberg (1994) [4] Climent, J.J., Herranz, V., Perea, C.: A ﬁrst approximation of concatenated convolutional codes from linear systems theory viewpoint. Linear Algebra and its Applications 425, 673–699 (2007) [5] Climent, J.J., Herranz, V., Perea, C.: Linear system modelization of concatenated block and convolutional codes. Linear Algebra and its Applications 429, 1191–1212 (2008) [6] Dholakia, A.: Introduction to Convolutional Codes with Applications. Kluwer Academic Publishers, Boston (1994) [7] Grasselli, O.M., Longhi, S.: Finite zero structure of linear periodic discretetime systems. International Journal of Systems Science 22(10), 1785–1806 (1991) [8] Hautus, M.L.J.: Controllability and observability condition for linear autonomous systems. Proceedings of Nederlandse Akademie voor Wetenschappen (Series A) 72, 443–448 (1969) [9] Hutchinson, R., Rosenthal, J., Smarandache, R.: Convolutional codes with maximum distance proﬁle. Systems & Control Letters 54(1), 53–63 (2005) [10] Johannesson, R., Zigangirov, K.S.: Fundamentals of Convolutional Coding. IEEE Press, New York (1999) [11] Justesen, J.: New convolutional code constructions and a class of asymptotically good timevarying codes. IEEE Transactions on Information Theory 19(2), 220– 225 (1973) [12] Levy, Y., Costello Jr., D.J.: An algebraic approach to constructing convolutional codes from quasicyclic codes. DIMACS Series in Discrete Mathematics and Theoretical Computer Science 14, 189–198 (1993) [13] Massey, J.L., Costello, D.J., Justesen, J.: Polynomial weights and code constructions. IEEE Transactions on Information Theory 19(1), 101–110 (1973) [14] McEliece, R.J.: The algebraic theory of convolutional codes. In: Pless, V.S., Huﬀman, W.C. (eds.) Handbook of Coding Theory, pp. 1065–1138. Elsevier, NorthHolland, Amsterdam (1998) [15] Mooser, M.: Some periodic convolutional codes better than any ﬁxed code. IEEE Transactions on Information Theory 29(5), 750–751 (1983)
82
J.J. Climent et al.
[16] O’Donoghue, C., Burkley, C.: Catastrophicity test for timevarying convolutional encoders. In: Walker, M. (ed.) Cryptography and Coding 1999. LNCS, vol. 1746, pp. 153–162. Springer, Heidelberg (1999) [17] Ogasahara, N., Kobayashi, M., Hirasawa, S.: The construction of periodically timevariant convolutional codes using binary linear block codes. Electronics and Communications in Japan, Part 3 90(9), 31–40 (2007) [18] Rosenthal, J.: An algebraic decoding algorithm for convolutional codes. Progress in Systems and Control Theory 25, 343–360 (1999) [19] Rosenthal, J.: Connections between linear systems and convolutional codes. In: Marcus, B., Rosenthal, J. (eds.) Codes, Systems and Graphical Models. The IMA Volumes in Mathematics and its Applications, vol. 123, pp. 39–66. Springer, Heidelberg (2001) [20] Rosenthal, J., Smarandache, R.: Maximum distance separable convolutional codes. Applicable Algebra in Engineering, Communication and Computing 10, 15–32 (1999) [21] Rosenthal, J., Schumacher, J., York, E.V.: On behaviors and convolutional codes. IEEE Transactions on Information Theory 42(6), 1881–1891 (1996) [22] Rosenthal, J., York, E.V.: BCH convolutional codes. IEEE Transactions on Information Theory 45(6), 1833–1844 (1999) [23] Tanner, R.M.: Convolutional codes from quasicyclic codes: A link between the theories of block and convolutional codes. Technical Report USCCRL8721 (November 1987) [24] Thommesen, C., Justesen, J.: Bounds on distances and error exponents of unit memory codes. IEEE Transactions on Information Theory 29(5), 637–649 (1983) [25] York, E.V.: Algebraic Description and Construction of Error Correcting Codes: A Linear Systems Point of View. Ph.D thesis, Department of Mathematics, University of Notre Dame, Indiana, USA (May 1997)
On Elliptic Convolutional Goppa Codes Jos´e Ignacio Iglesias Curto Departamento de Matem´ aticas, Universidad de Salamanca, Plaza de la Merced 1, 37008 Salamanca, Spain
Abstract. The algebraic geometric tools used by Goppa to construct block codes with good properties have been also used successfully in the setting of convolutional codes. We present here this construction carried out over elliptic curves, yielding a variety of codes which are optimal with respect to diﬀerent bounds. We provide a number of examples for different values of their parameters, including some explicit strongly MDS convolutional codes. We also introduce some conditions for certain codes of this class to be MDS.
1
Introduction
Goppa codes, introduced by V.D. Goppa in the late seventies [4,5] were the seed of a fruitful link between coding theory and algebraic geometry. A further use of algebraic geometric tools in coding theory resulted in many other code constructions but also in the study of related open questions, as for instance the number of rational points of a given curve. Diﬀerent algebraic elements have been used also to construct convolutional codes. A convolutional code of length n and dimension k is often deﬁned as a kdimensional subspace of Fnq (z). However it is known that there exists always a polynomial generator matrix. As explained in [1], the term “convolutional” is used because the output sequences can be regarded as the convolution of the input sequences with the sequences in the encoder. Hence, the output at time t does not only depend on the input at time t, but also on those at previous time instants. The output vector at time t is precisely the coeﬃcient of z t . The amount of this dependance is a critical parameter of the convolutional code called the degree or the complexity of the code, δ, and can be computed as the sum of the row degrees of a polynomial generator matrix in row proper form. In fact convolutional codes of degree 0 are precisely linear block codes. In addition, the highest row degree of a polynomial generator matrix in row proper form stands for the number of previous inputs on which every output depends, and it is another invariant of the code known as its memory, m. Since the components of convolutional codewords are not constant the weight function considered is slightly diﬀerent than the one in block coding. The weight of a convolutional codeword is the sum of the nonzero coeﬃcients at each of
Research partially supported by the research contract MTM2006076B of DGI and by Junta de Castilla y Le´ on under research project SA029A08.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 83–91, 2009. c SpringerVerlag Berlin Heidelberg 2009
84
J.I. Iglesias Curto
its components. In a similar way the distance of two codewords is deﬁned, and the minimum among them is called the free distance, df , of the code. Similarly to block coding, several bounds on the free distance are used. Two of the most commonly ones used, to which we will refer later (and which are generalizations of bounds for block codes), are df ree ≤ S(n, k, δ) = (n − k)
δ k
+1 +δ+1
generalized Singleton bound [11] k(m+i)−δ−1
df ree ≤ max{d∈{1, . . . , S(n, k, δ)} ˆ= N
l=0
d ˆ ≤ n(m + i), for all i ∈ N} ql
N ≡ {1, 2, . . .} if km = δ . N0 ≡ {0, 1, 2, . . .} if km > δ Griesmer bound [3]
By analogy with block coding, convolutional codes attaining the generalized Singleton bound are known as Maximum Distance Separable, MDS, codes. As convolutional codes are a generalization of linear block codes, one might wonder wether algebraic geometric tools, and in particular similar tools as the ones used by Goppa, could be also used to construct families of convolutional codes with certain good properties. A ﬁrst attempt to deﬁne convolutional Goppa codes was made in [10], where instead of a curve, a family of curves parameterized by the aﬃne line was considered. Instead of points, disjoint sections of the projection of this family over the aﬃne line were taken, and instead of divisors on a curve, a Cartier divisor and an invertible sheaf. An analogous construction to the classical one led to a family of convolutional codes “of Goppa type”. After that, a more general construction with simpler geometric tools has been given in [9]. The paper is structured as follows. In Section 2 we expose the use of algebraic geometric elements to construct convolutional Goppa codes. In Section 3 we apply this construction to the case in which the curve considered is elliptic. An explicit expression of the elements involved, in particular of the rational points taken, will allow to determine the generator matrices of the codes so obtained. In Section 4 we present several examples of optimal elliptic convolutional Goppa codes. Finally in Section 5 we address the problem of characterizing MDS codes.
2
Geometric Construction of Convolutional Goppa Codes
Let Fq be a ﬁnite ﬁeld and Fq (z) the ﬁeld of rational functions on one variable. Let X be a smooth projective curve over Fq (z) of genus g and let us assume that Fq (z) is algebraically closed in the ﬁeld of rational functions of X. Both RiemannRoch and the Residues theorems still hold under this hypothesis [6].
On Elliptic Convolutional Goppa Codes
85
Let us take n diﬀerent Fq (z)rational points P1 , . . . , Pn and the divisor D = P1 +· · ·+Pn , with its associated invertible sheaf OX (D). We have then the exact sequence of sheaves 0 → OX (−D) → OX → Q → 0 ,
(1)
where Q is a sheaf with support only at the points Pi . Let G be another divisor on X with support disjoint from D. By tensoring the exact sequence (1) by the associated invertible sheaf OX (G), we have 0 → OX (G − D) → OX (G) → Q → 0 . and by taking global sections we get the sequence α
0 → H 0 (X, OX (G − D)) → H 0 (X, OX (G)) → H 0 (X, Q) → → H 1 (X, OX (G − D)) → H 1 (X, OX (G)) → 0
.
If we impose deg(G) < n = deg(D), we have an injective Fq (z)linear map 0
/ L(G) s
α
n / F (z) × . . . × Fq (z) q
/ ...
/ (s(P1 ), . . . , s(Pn ))
Definition 1. The convolutional Goppa code C(D, G) defined by the divisors D and G is the image of α : L(G) → Fq (z)n . Given a subspace S ⊆ L(G), the convolutional Goppa code C(D, S) defined by D and S is the image of αS . We can use the RiemannRoch theorem to calculate the dimension of a convolutional Goppa code. Proposition 1 ([9]). C(D, G) is a convolutional code of length n = deg(D) and dimension k ≥ deg(G)+1−g. Further, if deg(G) > 2g−2 then k = deg(G)+1−g. Proof. Since deg(G) < n, dim L(G − D) = 0, hence the map α is injective and k = dim L(G). If 2g − 2 < deg(G), dim L(G) = 1 − g + deg(G) by the RiemannRoch theorem. The geometric tools to characterize the free distance of convolutional Goppa codes are much more sophisticated than the analogous ones in the block case, involving jets, osculating planes and an interpretation of the points Pi as sections over the aﬃne line. Then, the calculus of the free distance could be interpreted as a problem of Enumerative Geometry over ﬁnite ﬁelds [9]. However a few conditions to obtain MDS convolutional codes will be given in Section 5. Similarly, a convolutional code can be constructed by considering the dual morphisms of those deﬁning C(D, G) and by means of the Residues Theorem it can be proven that the code so constructed is the dual code of C(D, G).
86
3
J.I. Iglesias Curto
Convolutional Goppa Codes over Elliptic Curves
Let X ⊂ P2Fq (z) be a plane elliptic curve over Fq (z). Without loss of generality we will assume that X has a rational point of order at least 4 (so that there are enough rational points to deﬁne a convolutional code). Then, in an aﬃne plane containing this point, X can be written in Tate Normal form [7] y 2 + axy + by = x3 + bx2
(2)
being x, y the aﬃne coordinates in this plane and a, b ∈ Fq (z). Let P∞ be the point at inﬁnity, P0 = (0, 0) and P1 , . . . , Pn n diﬀerent rational points of X, with Pi = (xi , yi ) and xi , yi ∈ Fq (z). Consider the divisors D = P1 + · · · + Pn and G = rP∞ , with 0 < r < n. Recall that the divisors of the functions x, y are (x) = P0 + Q − 2P∞ , (y) = 2P0 + Q − 3P∞ where Q, Q are two rational points diﬀerent from P0 , P∞ . Then, a basis of L(G) is given by {1, x, y, . . . , xi y j , . . .}, where i, j satisfy 2i + 3j ≤ r = deg(G) (and to avoid linear dependencies j = 0, 1). Since r < n then the evaluation map α : L(G) xi y j
/ Fq (z)n / (xi y j , . . . , xi y j ) 1 1 n n
is an injective morphism and Imα deﬁnes the convolutional Goppa code C(D, G) with length n. As g = 1 and deg(G) > 2g − 2 the code has dimension k = r = deg(G). Let us consider now the more general case with G = rP∞ −sP0 , where r, s > 0 and 0 < r − s < n. Then {xa y b  s ≤ a + 2b, 2a + 3b ≤ r} is a basis of L(G). The code C(D, G) has length n and dimension r − s. The explicit expression of a generator matrix of the code C(D, G) is ⎞ ⎛ a b x1 y1 xa2 y2b . . . xan ynb b a+1 b a+1 b ⎟ ⎜xa+1 ⎜ 1 y1 x2 y2 . . . xn yn ⎟ G=⎜ . . .. ⎟ . . .. .. ⎝ .. . ⎠ xc1 y1d
xc2 y2d . . . xcn ynd
The following examples illustrate this construction, as well as the fact that it provides optimal codes. Example 1. Let us consider the elliptic curve with Tate Normal form y 2 + zxy + y = x3 + x2 over the ﬁeld F2 (z).
On Elliptic Convolutional Goppa Codes
87
We take the divisor D = P1 + P2 + P3 + P4 with P2 = (1 + z, 1 + z 2 ) P1 = (1 + z, z) 3 1+z 3 1+z 3 +z 4 +z 5 1+z 2 +z 4 ) P4 = ( 1+z ) P3 = ( z2 , z3 z2 , z3 and the divisor G = 3P∞ − P0 , being therefore L(G) = x, y . Then the convolutional Goppa Code deﬁned by D and G is generated by the matrix 2 z z2 1 + z + z2 1 + z + z2 , 1 + z 1 + z2 + z3 1 + z + z3 0 2
2
z where the rows are the images of the functions 1+z x and zy + 1+z+z 1+z x respectively. C(D, G) has parameters [n, k, δ, m, df ree ] = [4, 2, 5, 3, 8]. The free distance of the code attains the Griesmer bound.
Example 2. We consider now the elliptic curve y 2 + zxy + 2z 2 y = x3 + 2z 2 x2 over F5 (z), and the divisor D = P1 + P2 , with support at the points 2
3
4
4
5
6
+3z +4z 2z +2z +3z P1 = (3z 2 , 3z 2 + 2z 3 ) P2 = ( 2z1+3z+z , 4+3z+2z 2 2 +z 3 )
We take the divisor G = 2P∞ − P0 , and we have L(G) = x . A generator matrix of the code C(D, G) is 2 + z + 2z 2 , 3 + 2z + z 2 2
given by the image of the function 4+2z+4z x. The code has parameters [n, k, δ, z2 df ree ] = [2, 1, 2, 6], and hence it is MDS. Example 3. Now we take the curve y 2 + (1 + z + z 2 )xy + (z 2 + z 3 )y = x3 + (z 2 + z 3 )x2 over Fq (z), with q = 2m . We consider the divisor D = P1 + P2 + P3 where P1 = (0, −z 3 − z 2 ) P2 = (z 2 − z, −z 4 − 2z 3 + z 2 ) P3 = (−z 2 − z, −z 3 + z) Let us take G = 2P∞ , then L(G) = 1, x and a generator matrix for the convolutional Goppa code C(D, G) is 1 1 1 , 01−z 1+z whose rows are images of the functions 1 and − z1 x. C(D, G), has parameters [n, k, δ, m, df ree ] = [3, 2, 1, 1, 3]. Then C(D, G) is an MDS convolutional code.
88
4
J.I. Iglesias Curto
Some Optimal Convolutional Goppa Codes over Elliptic Curves
The previous examples illustrate the construction of elliptic convolutional Goppa codes with diﬀerent parameters from their deﬁning elements, i. e., the elliptic curve and the divisors D and G. They also show the existence of optimal convolutional codes deﬁned over elliptic curves. In this section we present a representative collection of convolutional Goppa codes deﬁned over elliptic curves. A more extensive one can be found in [8]. The description of the codes is done by means of their generating elements. To characterize the elliptic curve over which each code is deﬁned, let a, b be the parameters on its Tate Normal form (2). On this curve we take the points {Pi }7i=1 = {2P, 3P, −3P, 4P, −4P, 5P, −5P }, where P = (0, 0) = P0 is a rational point which belongs to the curve, and nP , n ∈ Z is obtained by the addition law deﬁned over every elliptic curve. Together with them, the basis or the bases (when in the same curve and with the same divisor D there is more than one code for those parameters) of the space of functions that deﬁne each code are provided. We include for each code its parameters, the size p of the base ﬁeld (which for the codes presented will be always prime) and the bound that it reaches so that it is considered optimal. As shown on the table, for those codes that are optimal with respect to the Griesmer bound (i.e., there does not exist MDS codes over that ﬁeld) there exist also MDS codes if the size of the base ﬁeld is big enough. 4.1
Strongly MDS Convolutional Codes
The set of strongly MDS convolutional codes is a particularly interesting subset of MDS convolutional codes. They are characterized by the property that to decode the coeﬃcients vector at time t, the smallest possible number of coeﬃcients vectors of the received word are needed. This property is very convenient to develop iterative decoding algorithms, as the one in [2], with an error decoding capability per time interval similar to MDS block codes of a large length. The family of convolutional Goppa codes deﬁned over elliptic curves provides also a number of codes which are strongly MDS. A representative subset of them are presented in the following table. More examples can be found in [8]. We would like to stress two interesting facts. In [2] several examples of strongly MDS convolutional codes are presented, which are obtained by diﬀerent methods. However all of them have in common that the length of the code and the characteristic of the base ﬁeld must be coprime. This condition is not necessary in our construction and actually some of the codes obtained in this way don’t fulﬁll it. Secondly, the already mentioned decoding algorithm for this kind of codes that is proposed in the same paper, has the drawback of needing a general syndrome decoding algorithm. The variety of examples presented suggests that elliptic convolutional Goppa codes are a promising way to obtain strongly MDS codes with a rich algebraic structure that would allow to adapt that decoding scheme in order to make it practical.
On Elliptic Convolutional Goppa Codes
89
Table 1. Examples of optimal elliptic convolutional Goppa codes [n, k, δ] [2,1,1] [2,1,1] [2,1,2] [2,1,2] [2,1,7] [2,1,7] [3,1,1] [3,1,2] [3,1,2] [3,1,6] [4,1,2] [4,1,6] [4,1,8] [3,2,1] [3,2,1] [3,2,3] [4,2,1] [4,2,1] [4,2,3] [4,2,5] [4,2,5] [5,2,1] [4,3,2] [4,3,2]
p 3 ≥3 2 ≥5 7 13 ≥5 2 7 11 5 11 11 5 7 7 ≥3 ≥3 7 2 13 ≥3 7 11
df ree (a,b) L(G) 4 (α1 z, α1 z + 2z 2 ) {x} 4 (z, α2 z − α2 z 2 ) {x} 5 (1 + z, 1) {y}, {xy} 6 (2z, 1) {x} 15 (z + 2z 2 , 1 + 4z + 3z 2 ) {y}, {xy} 16 (3z 2 , 1 + 2z + 2z 2 ) {y}, {xy} 6 (z, 2 − 5z + 3z 2 ) {y}, {xy} 8 (z, z 2 ) {x} 9 (z, 1 + 2z + 4z 2 ) {y} 21 (z, 1 + 3z 2 ) {xy} 12 (z, 1 + 2z + 2z 2 ) {y} 28 (z, 1 + 4z + 6z 2 ) {xy} 36 (3z, 6 + 4z 2 ) {y} 3 (1 + z, z + 3z 2 ) {x, y}, {x2 , xy} 3 (1 + 2z, 2z + z 2 ) {x, y}, {x2 , xy} 2 6 (2z, 2 + 6z ) {x, y} 4 (z, −2 + 2z) {1, x} 4 (z, −2 + 3z − z 2 ) {1, x} 8 (2z, 3 + 2z 2 ) {x, y} 8 (z, 1) {x, y} 12 (z, 4 + 4z + 5z 2 ) {x, y} 5 (z, −2 + 3z − z 2 ) {1, x} 4 (5 + α3 z, 3 − α3 z) {1, x, y} 4 (6 + α3 z, 6 − α3 z) {1, x, y} α2 = −1 α3 = 0
i,D = Pi 1, 4 1, 4 4, 5 2, 6 6, 7 6, 7 1, 4, 5 1, 4, 5 1, 4, 5 1, 4, 5 2, 3, 6, 7 2, 3, 6, 7 2, 3, 6, 7 1, 4, 5 1, 4, 5 1, 4, 5 0, 1, 2, 4 1, 2, 4, 6 2, 3, 6, 7 2, 3, 6, 7 2, 3, 6, 7 0, 1, 2, 4, 6 1, 3, 6, 7 1, 3, 6, 7
Bound MDS MDS Griesmer MDS Griesmer MDS MDS Griesmer MDS MDS MDS MDS MDS MDS MDS MDS MDS MDS MDS Griesmer MDS MDS MDS MDS
Table 2. Examples of strongly MDS elliptic convolutional Goppa codes [n, k, δ] p df ree (a,b) L(G) i,D = Pi [2,1,1] 5 4 (z, 1 + 2z + 2z 2 ) {x} 2, 6 [2,1,1] 7 4 (z, 2 + 2z + 3z 2 ) {x} 2, 6 [2,1,2] 11 6 (0, 2 + α1 z) {y}, {xy} 4, 5 [2,1,2] 11,13 6 (2z, 3) {y}, {xy} 4, 5 [2,1,2] 13 6 (2z, 5 + 3z) {y}, {xy} 6, 7 [3,1,2] 3 3 (z 2 , 1 + z) {1, x} 1, 2, 6 [3,1,2] ≥ 5 3 (z, 1 − 3z + 2z 2 ) {x, y},{x2 , xy} 1, 4, 5 [4,2,1] 5,11 4 (2 + α2 z, α3 + α2 α3 z) {1, x} 0, 1, 2, 4 α1 = 1, . . . , 6, α2 ≥ 1, α3 ≥ 2
5
Conditions on Maximum Distance Separability
In [11] a condition is provided so that a codeword has weight bigger or equal to the value for the generalized Singleton bound, the socalled weight property. A codeword holds this property if every subset of k components has weight at
90
J.I. Iglesias Curto
least δ + 1. Hence a suﬃcient condition for a convolutional code to be MDS is that every codeword holds the weight property. As it is shown, the weight property implies that at least n − k + 1 components must have weight at least δ/k + 1. In particular, since these components must be of course diﬀerent from 0, the previous condition is also a suﬃcient condition to be a MDS block code over Fq (z). It is easy to check that actually 1dimensional MDS convolutional codes are also MDS as block codes. In particular, the necessary conditions for 1dimensional MDS block codes are also of application in the convolutional case. One of the necessary conditions that have to be veriﬁed is the following. Proposition 2. If C(D, G) is a 1dimensional MDS elliptic code, then for any point P such that G ∼ P , P ∈ / supp(D). Proof. Since G ∼ P , then there exists a function f such that (f ) = G − P , i. e., f ∈ L(G − P ). On the other side, f may not have a zero on the support of D since we assume that C(D, G) is MDS. Then P ∈ / supp(D). In particular, for elliptic convolutional Goppa codes we have Proposition 3. If C(D, G) is a 1dimensional MDS convolutional code, then for any function f such that α(f ) is polynomial of degree δ, then w(f (Pi )) = δ + 1 for all i. Proof. It is a direct consequence of generalized Singleton bound. Note that these results cannot be extended to (n − 1)dimensional codes (as one would do for block codes) since the dual code of a MDS convolutional code may not be MDS.
6
Conclusions
The Goppa construction to deﬁne linear block codes can be also considered in a very natural way on the convolutional coding context. In particular an explicit expression of convolutional Goppa codes deﬁned over elliptic curves can be given. This construction yields optimal codes over diﬀerent ﬁelds and for diﬀerent values of their parameters. It is of particular interest the set of strongly MDS convolutional codes of this family. However the problem of determining the free distance is far harder than in the block coding case. Some conditions to get 1dimensional MDS convolutional codes have been given, but still remains unknown wether they can be extended for codes of any dimension.
References 1. Forney, G.D.: Convolutional codes I: Algebraic structure. IEEE Trans. Information Theory (1970) 2. GluesingLuerssen, H., Rosenthal, J., Smarandache, R.: Strongly MDS convolutional codes. IEEE Trans. Information Theory (52), 584–598 (2006)
On Elliptic Convolutional Goppa Codes
91
3. GluesingLuerssen, H., Schmale, W.: Distance bounds for convolutional codes and some optimal codes (2003), arXiv:math/0305135v1 4. Goppa, V.D.: Codes associated with divisors. Probl. Peredachi Inform. 13(1), 33–39 (1977); Translation: Probl. Inform. Transmission 13, 22–26 (1977) 5. Goppa, V.D.: Codes on algebraic curves. Dokl. Adad. Nauk SSSR 259, 1289–1290 (1981); Translation: Soviet Math. Dokl. 24, 170–172 (1981) 6. Hartshorne, R.: Algebraic geometry. Grad. Texts in Math., vol. 52. Springer, New York (1977) 7. Husemoller, D.: Elliptic curves. Springer, New York (1987) 8. Iglesias Curto, J.I.: A study on convolutional codes. Classﬁcation, new families and decoding, Ph.D. thesis, Universidad de Salamanca (2008) 9. Mu˜ noz Porras, J.M., Dominguez Perez, J.A., Iglesias Curto, J.I., Serrano Sotelo, G.: Convolutional Goppa codes. IEEE Trans. Inform. Theory 52(1), 340–344 (2006) 10. Mu˜ noz Porras, J.M., Dom´ınguez P´erez, J.A., Serrano Sotelo, G.: Convolutional codes of Goppa type. AAECC 15, 51–61 (2004) 11. Rosenthal, J., Smarandache, R.: Maximum distance separable convolutional codes. AAECC 10(1), 15 (1999)
The Minimum Hamming Distance of Cyclic Codes of Length 2ps ¨ ¨ Hakan Ozadam and Ferruh Ozbudak Department of Mathematics and Institute of Applied Mathematics ˙ on¨ Middle East Technical University, In¨ u Bulvarı, 06531, Ankara, Turkey {ozhakan,ozbudak}@metu.edu.tr
Abstract. We study cyclic codes of length 2ps over Fq , where p is an odd prime. Using the results of [1], we compute the minimum Hamming distance of these codes. Keywords: Cyclic code; repeatedroot cyclic code; Hamming distance.
1
Introduction
Although it has been shown in [1] that repeatedroot cyclic codes over finite fields are “asymptotically bad”, they remain to be interesting in some cases (see, for example, [6,7,8,9]). For instance, a sequence of binary repeatedroot cyclic codes, that are optimal, was found in [8]. Moreover, in [6], it has been shown that the minimum Hamming distance of repeatedroot cyclic codes over Galois rings can be determined by the minimum Hamming distance of codes of the same length over the residue finite field. Using this result of [6], the minimum Hamming distance of cyclic codes of length ps over Galois rings of characteristic pa is given in [7]. The minimum Hamming distance of cyclic codes of length ps over a finite field of characteristic p is given in [2]. Later in [5], we have shown that the minimum Hamming distance of these codes can also be computed by using the results of [1] via simpler and more direct methods compared to that of [2]. In this study, we extend our methods to cyclic codes of length 2ps . Namely, we determine the minimum Hamming distance of all cyclic codes, of length 2ps , over a finite field of characteristic p, where p is an odd prime and s is an arbitrary positive integer. This paper is organized as follows. In Section 2, we fix our notation and recall some preliminaries. In Section 3, using the results of [1], we compute the minimum Hamming distance of all cyclic codes of length 2ps over a finite field of characteristic p, where p is an odd prime. We summarize our results in Table 1 at the end of Section 3.
2
Preliminaries
Let p be an odd prime and Fq be a finite field of characteristic p. Let n be a positive integer. Throughout this paper we identify a codeword (a0 , a1 , . . . , an−1 ) M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 92–100, 2009. c SpringerVerlag Berlin Heidelberg 2009
The Minimum Hamming Distance of Cyclic Codes of Length 2ps
93
over Fq with the polynomial a(x) = a0 +a1 x+· · ·+an−1 xn−1 ∈ Fq [x]. We denote the minimum Hamming distance of a code C by dH (C). Let a = xn − 1 be an ideal of Fq [x] and let Ra be the finite ring given by Ra = Fq [x]/a. It is wellknown that cyclic codes, of length n, over Fq are ideals of Ra (see, for example, Chapter 7 of [4]). Any element of Ra can be represented uniquely as f (x) + a where deg(f (x)) < n. The codeword which corresponds to f (x) + a is (f0 , f1 , . . . , fn−1 ), where f (x) = f0 + f1 x + · · · + fn−1 xn−1 ∈ Fq [x]. Since Fq [x] is a principal ideal domain, for any ideal I of Ra , there exists a unique monic polynomial g(x) ∈ Fq [x] with deg(g(x)) < n and g(x)xn − 1 such that I = g(x). Let h(x) ∈ Fq [x] be a polynomial with h(0) = 0, then h(x)  xm − 1 for some positive integer m (c.f. [3, Lemma 3.1]). Let e be the least positive integer with h(x)  xe −1. The order of h(x) is defined to be e and it is denoted by ord(h) = e.
3
Cyclic Codes of Length 2ps
In this section we determine the minimum Hamming distance of all cyclic codes of length 2ps over Fq , where s is a positive integer. s s s s Let 0 ≤ i, j ≤ ps be integers. Since x2p − 1 = (x2 − 1)p = (x − 1)p (x + 1)p , s i j all cyclic codes of length 2p over Fq are of the form (x − 1) (x + 1) . s Let Ra = Fq [x]/x2p −1 and let C = (x−1)i (x+1)j ⊂ Ra . If (i, j) = (0, 0), then C = Ra and if (i, j) = (ps , ps ), then C = {0}. These are the trivial cyclic codes of length 2ps over Fq . In the rest of this section, we compute the minimum Hamming distance of all nontrivial cyclic codes of length 2ps over Fq . We partition the set {0, 1, . . . , ps } into 4 subsets. The first one is the range 0, . . . , ps−1 , the second one is the range ps−1 + 1, . . . , (p − 1)ps−1 , the third one is the range (p − 1)ps−1 + 1, . . . , ps − 1 and the last one just consists of ps . These ranges arise naturally from technicalities of our computations explained below. If i = 0, or j = 0, or 0 ≤ i, j ≤ ps−1 , then the minimum Hamming distance of C can easily be determined as shown in Lemma 2 and Lemma 3 below. We note that from Lemma 8 till Theorem 2, we consider only the cases, where i ≥ j, explicitly. This is because the cases, where j > i, can be treated similarly as the corresponding case of i > j and consequently, we have the analogous results in these cases. Finally, in Theorem 2, we state all of our results explicitly corresponding to each case including the ones where j > i. First we give an overview of the results in this section. If 0 < j ≤ ps−1 and s−1 p + 1 ≤ i ≤ ps , then the minimum Hamming distance of C is computed in Lemma 8 and Lemma 9. Note that we use the results of [1] for our computations after Lemma 5. If ps−1 + 1 ≤ j ≤ i ≤ (p − 1)ps−1 , then the minimum Hamming distance of C is computed in Lemma 10. If ps−1 + 1 ≤ j ≤ (p − 1)ps−1 < i ≤ ps − 1, then the minimum Hamming distance of C is computed in Lemma 11. If (p − 1)ps−1 + 1 ≤ j ≤ i ≤ ps − 1, then the minimum Hamming distance of C is computed in Lemma 12 and Lemma 13. If 0 < j ≤ ps−1 and i = ps , then the minimum Hamming distance of C is computed in Lemma 14. If ps−1 + 1 ≤ j ≤ (p − 1)ps−1 and i = ps , then the minimum Hamming distance of C is computed
94
¨ ¨ H. Ozadam and F. Ozbudak
in Lemma 15. Finally, if (p − 1)ps−1 + 1 ≤ j ≤ ps − 1 and i = ps , then the minimum Hamming distance of C is computed in Lemma 16. We begin to present and prove our results with the next lemma. Lemma 1. Let C be an ideal of Ra with {0} = C Ra . Then dH (C) ≥ 2. Proof. This follows from the observation that αxm is a unit in Ra for α ∈ Fq \{0} and m ∈ Z+ ∪ {0}.
Lemma 2. Let 0 < i, j ≤ ps be integers, let C = (x − 1)i and D = (x + 1)j . Then dH (C) = dH (D) = 2. s
Proof. The proof follows from Lemma 1 and the observation that (x− 1)i xp − 1 s and (x + 1)j xp + 1.
Lemma 3. Let C = (x + 1)i (x − 1)j , for some 0 ≤ i, j ≤ ps−1 with (i, j) = (0, 0). Then dH (C) = 2. s−1
Proof. For this range of i and j, we have (x + 1)i (x − 1)j (x2p
− 1).
The following lemma shows that we can use the results of [1] for computing the minimum Hamming distance of the remaining codes. Lemma 4. Let f (x) = (x − 1)i (x + 1)j ∈ Fq [x] for some integers 0 ≤ i, j ≤ pe . Then ord(f ) = 2pe if j > pe−1 , or if j > 0 and i > pe−1 . Proof. The proof follows from the fact that ord(x + 1) = 2, [3, Theorem 3.8] and [3, Theorem 3.9].
Let G1 = {(x − 1)i (x + 1)j : G2 = {(x − 1)i (x + 1)j :
ps ≥ i > 0 and ps ≥ j > ps−1 }, ps ≥ i > ps−1
and ps ≥ j > 0} s
s
and let g(x) be any element of G1 ∪ G2 \ {(x − 1)p (x + 1)p }. By Lemma 4, ord(g(x)) = 2ps . Therefore we can use the results of [1] to determine the minimum Hamming distance of g(x). Let 0 ≤ t ≤ ps − 1 be an integer. For g(x) = (x − 1)i (x + 1)j ∈ G1 ∪ G2 \ {(x − s ps 1) (x + 1)p }, we define C = g(x), 1, if i > t, 1, if j > t, and ej,t = ei,t = 0, otherwise, 0, otherwise. Let g¯t (x) = (x − 1)ei,t (x + 1)ej,t and let C¯t = ¯ gt (x) ⊂ Fq [x]/x2 − 1 be the simpleroot cyclic code depending on C and t. Following the conventions of [1], we set ⎧ ⎨ 2, if g¯t (x) = x − 1 or g¯t (x) = x + 1, dH (C¯t ) = 1, if g¯t (x) = 1, ⎩ ∞, if g¯t (x) = x2 − 1.
The Minimum Hamming Distance of Cyclic Codes of Length 2ps
95
Then we have the following cases. If i ≥ j > t or j ≥ i > t, and therefore dH (C¯t ) = ∞.
then g¯t (x) = x2 − 1
(1)
If i > t ≥ j or j > t ≥ i, then g¯t (x) = x − 1 or g¯t (x) = x + 1, respectively, and therefore dH (C¯t ) = 2.
(2)
If t ≥ i ≥ j or t ≥ j ≥ i, and therefore dH (C¯t ) = 1.
(3)
then g¯t (x) = 1
For 0 ≤ t ≤ ps − 1, let 0 ≤ t0 , t1 , . . . , ts−1 ≤ p − 1 be the uniquely determined integers such that t = t0 + t1 p + · · · + ts−1 ps−1 , and Pt be the positive integer given by Pt =
s−1
(tm + 1) ∈ Z.
m=0
We define (cf. [1, page 339]) the set T = {t : t = (p − 1)ps−1 + (p − 1)ps−2 + · · · + (p − 1)ps−(j−1) + rps−j , 1 ≤ j ≤ s, 1 ≤ r ≤ p − 1} ∪ {0}. In [1], it has been shown that we can express the minimum Hamming distance of C in terms of dH (C¯t ) and Pt . Lemma 5 ([1, Lemma 1]). Let C, C¯t and Pt be as above. The minimum Hamming distance of C satisfies dH (C) ≤ Pt dH (C¯t ) for all t ∈ {0, 1, . . . , ps − 1}. Theorem 1 ([1, Theorem 1]). Let C, C¯t and Pt be as above. Then dH (C) = Pt dH (C¯t ) for some t ∈ T . Combining Lemma 5 and Theorem 1, we obtain dH (C) = min{Pt dH (C¯t ) :
t ∈ T }.
(4)
Clearly, (1) implies that dH (C) = Pt dH (C¯t ) is impossible for i ≥ j > t and j ≥ i > t. So we will consider only the cases (2) and (3) in our computations. The following proposition is a useful tool for our computations.
Proposition 1. Let t, t ∈ T , then t < t if and only if Pt < Pt . Proof. We have t = (p − 1)ps−1 + (p − 1)ps−2 + · · · + (p − 1)ps−(e−1) + rps−e
t = (p − 1)ps−1 + (p − 1)ps−2 + · · · + (p − 1)ps−(e
−1)
and
+ r ps−e
for some 1 ≤ e, e ≤ s and 1 ≤ r, r ≤ p − 1 as t, t ∈ T . First assume that t > t . Then either e > e , or e = e and r > r . If e > e , then pe−e ≥ p so pe−e (r + 1) ≥ 2p. Moreover r ≤ p − 1 implies r + 1 ≤ p. So we get pe−e (r + 1) − (r + 1) ≥ p. Therefore
Pt − Pt = pe (pe−e (r + 1) − (r + 1)) ≥ pe p > 0.
96
¨ ¨ H. Ozadam and F. Ozbudak
Hence Pt > Pt . If e = e and r > r , then Pt − Pt = pe ((r + 1) − (r + 1)) = pe (r − r ) > 0 and hence Pt > Pt . Using similar arguments, we obtain that if
Pt > Pt , then t > t . This completes the proof. As an immediate consequence of Proposition 1, we have min{Pt :
t∈T ,
t ≥ j} = min{Pt :
t∈T ,
i > t ≥ j},
(5)
provided that these sets are nonempty. We use (5) from Lemma 8 on. The minimum value of Pt is given in the following two lemmas, as t runs through certain sets. These sets are determined from the ranges of i and j in the definition of cyclic codes. Note that if i is an integer satisfying 1 ≤ i ≤ (p − 1)ps−1 , then there exists a uniquely determined integer β such that 0 ≤ β ≤ p − 2 and βps−1 + 1 ≤ i ≤ (β + 1)ps−1 . Lemma 6. Let be an integer such that βps−1 + 1 ≤ ≤ (β + 1)ps−1 , where β is an integer with 0 ≤ β ≤ p − 2. Then min{Pt : t ≥ and t ∈ T } = β + 2. Proof. If t ≥ and t ∈ T , then t ≥ (β + 1)ps−1 . So we get min{t ∈ T : t ≥ } = (β + 1)ps−1 . Using Proposition 1, we obtain min{Pt : t ≥ and t ∈ T } = β + 2.
Note that ps − ps−1 < ps − ps−2 < · · · < ps − ps−s = ps − 1. Hence for an integer i satisfying (p − 1)ps−1 + 1 = ps − ps−1 + 1 ≤ i ≤ ps − 1, there exists a uniquely determined integer k such that 1 ≤ k ≤ s−1 and ps −ps−k +1 ≤ i ≤ ps −ps−k−1 . Moreover we have ps − ps−k < ps − ps−k + ps−k−1 < ps − ps−k + 2ps−k−1 < · · · < ps − ps−k + (p − 1)ps−k−1 and ps − ps−k + (p − 1)ps−k−1 = ps − ps−k−1 . Therefore for such integers i and k, there exists a uniquely determined integer τ with 1 ≤ τ ≤ p − 1 such that ps − ps−k + (τ − 1)ps−k−1 + 1 ≤ i ≤ ps − ps−k + τ ps−k−1 . Lemma 7. Let τ and k be integers with 1 ≤ τ ≤ p − 1 and 1 ≤ k ≤ s − 1. If is an integer with ps − ps−k + (τ − 1)ps−k−1 + 1 ≤ ≤ ps − ps−k + τ ps−k−1 , then min{Pt : t ≥ and t ∈ T } = (τ + 1)pk . Proof. For 0 ≤ α ≤ p − 1, we have ps − ps−k + αps−k−1 = (p − 1)ps−1 + (p − 1)ps−2 + · · · + (p − 1)ps−k + αps−k−1 . So we get (p − 1)ps−1 + (p − 1)ps−2 + · · · + (p − 1)ps−k + (τ − 1)ps−k−1 + 1 ≤ ≤ (p − 1)ps−1 + (p − 1)ps−2 + · · · + (p − 1)ps−k + τ ps−k−1 . Now t ≥ and t ∈ T implies t ≥ (p − 1)ps−1 + (p − 1)ps−2 + · · · + (p − 1)ps−k + t ≥ } = (p − 1)ps−1 + (p − 1)ps−2 + · · · + τ ps−k−1 . Thus min{t ∈ T : s−k s−k−1 (p − 1)p + τp . Hence, using Proposition 1, we obtain min{Pt : t ∈ T and t ≥ } = (τ + 1)ps−k .
Now we are ready to obtain the minimum Hamming distance of the cyclic codes when 0 < j ≤ ps−1 < i < ps in the following two lemmas. Recall that from Lemma 8 till Theorem 2 we state the results when j ≤ i only. For j > i, the
The Minimum Hamming Distance of Cyclic Codes of Length 2ps
97
analogous results are obtained by the same method, and their statements are included in Theorem 2. Lemma 8. Let C = (x − 1)i (x + 1)j , where 2ps−1 ≥ i > ps−1 ≥ j > 0. Then dH (C) = 3. Proof. Note that ps−1 ∈ T and i > ps−1 ≥ j. Hence the set {Pt : T and i > t ≥ j} is nonempty. So, by Lemma 6, we get min{Pt : T and i > t ≥ j} = 2. If i > t ≥ j, then dH (C¯t ) = 2 by (2), thus
t ∈ t ∈
t∈T
(6)
min{Pt dH (C¯t ) :
and i > t ≥ j} = 4.
If t ≥ i > j and 2ps−1 ≥ i > ps−1 , then, by Lemma 6, we get min{Pt : T and t ≥ i > j} = 3. Note that dH (C¯t ) = 1 by (3), so
t∈
t∈T
(7)
min{Pt dH (C¯t ) :
and t ≥ i > j} = 3.
Using (4), (6) and (7), we conclude dH (C) = 3.
Lemma 9. Let C = (x − 1)i (x + 1)j , where ps > i > 2ps−1 and ps−1 ≥ j > 0. Then dH (C) = 4. Proof. By Lemma 6, (2) and (3) we get min{Pt dH (C¯t ) : min{dH (C¯t )Pt :
t∈T
and i > t ≥ j} = 4,
(8)
t∈T
and t ≥ i > j} ≥ 4.
(9)
Using (4), (8) and (9), we obtain dH (C) = 4. We consider the case ps−1 + 1 ≤ j ≤ i ≤ (p − 1)ps−1 in the following lemma.
Lemma 10. Let j ≤ i, 1 ≤ β ≤ β ≤ p − 2 be integers with βps−1 + 1 ≤ i ≤ (β + 1)ps−1 and β ps−1 + 1 ≤ j ≤ (β + 1)ps−1 . Let C = (x − 1)i (x + 1)j , then dH (C) = min{β + 2, 2(β + 2)}.
Proof. First suppose that β = β . Note that if i > t ≥ j, then t ∈ T . For t ≥ i ≥ j, by Lemma 6, we get min{Pt : t ∈ T and t ≥ i ≥ j} = β + 2 = β + 2. For t ≥ i ≥ j, dH (C¯t ) = 1 by (3). So we have min{Pt dH (C¯t ) :
t∈T
and t ≥ i ≥ j} = β + 2 = β + 2.
Next we assume β < β. Then, using Lemma 6, we get min{Pt : t ∈ T t ≥ j} = (β + 2). Since i > t ≥ j, dH (C¯t ) = 2 by (2), therefore min{Pt dH (C¯t ) :
t∈T
t∈T
and i >
and i > t ≥ j} = 2(β + 2).
For t ≥ i ≥ j, using Lemma 6, we get min{Pt : (β + 2). Since t ≥ i ≥ j, dH (C¯t ) = 1 by (3), thus min{Pt dH (C¯t ) :
(10)
t∈T
(11)
and t ≥ i ≥ j} =
and t ≥ i ≥ j} = β + 2.
Using (4), (10), (11) and (12), we obtain dH (C) = min{2(β + 2), β + 2}.
(12)
¨ ¨ H. Ozadam and F. Ozbudak
98
The following lemma deals with the case ps−1 + 1 ≤ j < (p − 1)ps−1 < i ≤ ps − 1. Lemma 11. Let i, j, 1 ≤ τ ≤ p − 1, 1 ≤ β ≤ p − 2 and 1 ≤ k ≤ s − 1 be integers such that ps − ps−k + (τ − 1)ps−k−1 + 1 ≤ i ≤ ps − ps−k + τ ps−k−1 and βps−1 + 1 ≤ j ≤ (β + 1)ps−1 . Let C = (x − 1)i (x + 1)j , then dH (C) = 2(β + 2). Proof. By Lemma 6, (2), Lemma 7 and (3), we get min{Pt dH (C¯t ) : min{Pt dH (C¯t ) :
t∈T
and i > t ≥ j} = 2(β + 2),
t∈T
k
(13)
and t ≥ i > j} = (τ + 1)p .
(14)
It follows from β ≤ p − 2, 1 ≤ τ and 1 ≤ k that 2(β + 2) ≤ 2p ≤ (τ + 1)pk . So, using (4), (13) and (14), we obtain dH (C) = 2(β + 2)..
In the following two lemmas, we obtain the minimum Hamming distance when (p − 1)ps−1 + 1 ≤ j ≤ i ≤ ps − 1.
Lemma 12. Let j ≤ i, 1 ≤ k ≤ s − 1, 1 ≤ τ ≤ τ ≤ p − 1 be integers such that ps − ps−k + (τ − 1)ps−k−1 + 1 ≤ i ≤ ps − ps−k + τ ps−k−1 and ps − ps−k + (τ − 1)ps−k−1 + 1 ≤ j ≤ ps − ps−k + τ ps−k−1 .
Let C = (x − 1)i (x + 1)j , then dH (C) = min{2(τ + 1)pk , (τ + 1)pk }.
Proof. First suppose that τ = τ . Obviously, there exists no t ∈ T with i > t ≥ j. So we consider t ≥ i ≥ j. By Lemma 7 and (3) we get min{Pt dH (C¯t ) :
t∈T
and t ≥ j ≥ i} = (τ + 1)pk .
(15)
Next suppose that τ < τ . By Lemma 7, (2) and (3) we get min{Pt dH (C¯t ) : min{Pt dH (C¯t ) :
t∈T t∈T
and i > t ≥ j} = 2(τ + 1)pk ,
(16)
k
and t ≥ i ≥ j} = (τ + 1)p .
(17)
Using (4), (15), (16) and (17), we obtain dH (C) = min{2(τ + 1)pk , (τ + 1)pk }.
Lemma 13. Let i, j, 1 ≤ k < k ≤ s − 1, 1 ≤ τ , τ ≤ p − 1 be integers such that ps − ps−k + (τ − 1)ps−k−1 + 1 ≤ i ≤ ps − ps−k + τ ps−k−1 and ps − ps−k + (τ − 1)ps−k −1 + 1 ≤ j ≤ ps − ps−k + τ ps−k −1 . Let C = (x − 1)i (x + 1)j , then dH (C) = 2(τ + 1)pk . Proof. By Lemma 7, (2) and (3) we get min{Pt dH (C¯t ) : min{Pt dH (C¯t ) :
t∈T t∈T
and i > t ≥ j} = 2(τ + 1)pk , and t ≥ i > i} = (τ + 1)pk .
(18) (19)
It follows from k > k , τ + 1 ≥ 2 and τ + 1 ≤ p that pk (τ + 1) ≥ 2pk (τ + 1). So, using (4), (18) and (19) we obtain dH (C) = min{2(τ + 1)pk , (τ + 1)pk } =
2(τ + 1)pk .
The Minimum Hamming Distance of Cyclic Codes of Length 2ps
99
Finally it remains to consider the cases i = ps and 0 < j ≤ ps − 1. Clearly, for i = ps and 0 < j ≤ ps − 1, there is no t ∈ T with t ≥ i ≥ j, so we only consider i > t ≥ j in the following three lemmas. Their proofs follow from Lemma 6, Lemma 7, (2), (4) and similar arguments as above. s
Lemma 14. Let 0 < j ≤ ps−1 be an integer and let C = (x − 1)p (x + 1)j . Then dH (C) = 4. Lemma 15. Let 1 ≤ β ≤ p − 2, βps−1 + 1 ≤ j ≤ (β + 1)ps−1 be integers. Let s C = (x − 1)p (x + 1)j , then dH (C) = 2(β + 2). Lemma 16. Let 1 ≤ τ ≤ p − 1, 1 ≤ k ≤ s − 1, j be integers such that ps − s ps−k + (τ − 1)ps−k−1 + 1 ≤ j ≤ ps − ps−k + τ ps−k−1 . Let C = (x − 1)p (x + 1)j , then dH (C) = 2(τ + 1)pk . We summarize our results in the following theorem (see Table 1 also). Theorem 2. Let p be an odd prime and let a, s be arbitrary positive integers. For q = pa , all cyclic codes of length 2ps over Fq are of the form (x − 1)i (x + 1)j ⊂ s s Fq [x]/x2p − 1 with 0 ≤ i, j ≤ ps . Let C = (x − 1)i (x + 1)j ⊂ Fq [x]/x2p − 1. Table 1. The minimum Hamming distance of all nontrivial cyclic codes, of the form (x − 1)i (x + 1)j , of length 2ps over Fq . The parameters 1 ≤ β ≤ β ≤ p − 2, (2) (1) (3) (4) <τ ≤ p − 1, 1 ≤ τ, τ , τ ≤ p − 1 , 1 ≤ k ≤ s − 1, 1 ≤ k < k ≤ s − 1 1≤τ are integers. The cases with i ≥ j are given. For the cases with i ≤ j, see Remark 1. Case i 1 0 < i ≤ ps 2 0 ≤ i ≤ ps−1 3 ps−1 < i ≤ 2ps−1 4 2ps−1 < i ≤ ps 5 6 7 8
j j=0 0 ≤ j ≤ ps−1 0 < j ≤ ps−1 0 < j ≤ ps−1
βps−1 + 1 ≤ i ≤ (β + 1)ps−1 ps − ps−k + (τ − 1)ps−k−1 +1 ≤ i ≤ ps − ps−k + τ ps−k−1 ps − ps−k + (τ − 1)ps−k−1 +1 ≤ i ≤ ps − ps−k + τ ps−k−1 ps − ps−k + (τ (1) − 1)ps−k−1 +1 ≤ i ≤ ps − ps−k +τ (1) ps−k−1
ps − ps−k + (τ (3) − 1)ps−k 9
s
+1 ≤ i ≤ p − p
10
i = ps
11
i = ps
s−k
+τ (3) ps−k
−1
β ps−1 + 1 ≤ j ≤ (β + 1)ps−1 βps−1 + 1 ≤ j ≤ (β + 1)ps−1 s
s−k
p −p + (τ − 1)p (τ + 1)pk +1 ≤ j ≤ ps − ps−k + τ ps−k−1 min{ ps − ps−k + (τ (2) − 1)ps−k−1 2(τ (2) + 1)pk , +1 ≤ j ≤ ps − ps−k (2) s−k−1 (τ (1) + 1)pk } +τ p
ps − ps−k + (τ (4) − 1)ps−k +1 ≤ j ≤ p − p
−1
2(β + 2)
s−k−1
s
dH (C) 2 2 3 4 min{β + 2, 2(β + 2)}
s−k
−1
2(τ (4) + 1)pk
+τ (4) ps−k −1 s−1 βp + 1 ≤ j ≤ (β + 1)ps−1 ps − ps−k + (τ − 1)ps−k−1 +1 ≤ j ≤ ps − ps−k +τ ps−k−1
2(β + 2) 2(τ + 1)pk
100
¨ ¨ H. Ozadam and F. Ozbudak s
s s If (i, j) = (0, 0), then C is the whole space F2p q , and if (i, j) = (p , p ), then C is the zero space {0}. For the remaining values of (i, j), the minimum Hamming distance of the cyclic code C is given in Table 1.
Remark 1. We simplified Table 1 by giving the cases only with i ≥ j for some ranges of i and j. The corresponding case with j ≥ i have the same minimum Hamming distance by symmetry. For example in Case 1, the corresponding case is i = 0 and 0 ≤ j ≤ ps , and the minimum Hamming distance is 2.
Acknowledgements The authors would like to thank anonymous referees for their valuable comments. ¨ ITAK ˙ The authors were partially supported by TUB under Grant No. TBAG107T826.
References 1. Castagnoli, G., Massey, J.L., Schoeller, P.A., von Seemann, N.: On repeatedroot cyclic codes. IEEE Trans. Inform. Theory 37, 337–342 (1991) 2. Dihn, H.Q.: On the linear ordering of some classes of negacyclic and cyclic codes and their distance distributions. Finite Fields Appl. 14, 22–40 (2008) 3. Lidl, R., Niederreiter, H.: Finite Fields. Cambridge University Press, Cambridge (1997) 4. MacWilliams, F.J., Sloane, N.J.A.: The Theory Of Error Correcting Codes. North Holland, Amsterdam (1978) ¨ ¨ 5. Ozadam, H., Ozbudak, F.: A note on negacyclic and cyclic codes of length ps over a finite field of characteristic p (2009) (submitted) 6. S˘ al˘ agean, A.: Repeatedroot cyclic and negacyclic codes over a finite chain ring. Discrete Appl. Math. 154(2), 413–419 (2006) 7. L´ opezPermouth, S.R., Szabo, S.: On the Hamming weight of repeatedroot cyclic and negacyclic codes over Galois rings (2009) (preprint) 8. van Lint, J.H.: Repeatedroot cyclic codes. IEEE Trans. Inform. Theory 37, 343–345 (1991) 9. Zimmerman, K.H.: On generalizations of repeatedroot cyclic codes. IEEE Trans. Inform. Theory 42, 641–649 (1996)
There Are Not Nonobvious Cyclic Aﬃneinvariant Codes ´ Jos´e Joaqu´ın Bernal, Angel del R´ıo, and Juan Jacobo Sim´ on Departamento de Matem´ aticas, Universidad de Murcia, Spain
Abstract. We show that an aﬃneinvariant code C of length pm is not permutation equivalent to a cyclic code except in the obvious cases: m = 1 or C is either {0}, the repetition code or its dual.
Aﬃneinvariant codes were ﬁrstly introduced by Kasami, Lin and Peterson [KLP2] as a generalization of ReedMuller codes. This class of codes has received the attention of several authors because of its good algebraic and decoding properties [D, BCh, ChL, Ho, Hu]. It is well known that every aﬃneinvariant code can be seen as an ideal of the group algebra of an elementary abelian group in which the group is identiﬁed with the standard base of the ambient space. In particular, if C is a code of prime length then C is permutation equivalent to a cyclic code. Other obvious aﬃneinvariant cyclic codes are the trivial code, {0}, the repetition code and the code form by all the evenlike words, provided its length is a prime power. In this paper we prove that these are the only aﬃneinvariant codes which are permutation equivalent to a cyclic code. Our main tools are an intrinsical characterization of group codes obtained in [BRS] and a description of the group of permutation automorphisms of nontrivial aﬃneinvariant codes given in [BCh]. These results are reviewed in Section 1, where we also recall the deﬁnition and main properties of aﬃneinvariant codes. In Section 2 we prove the main result of the paper.
1
Preliminaries
In this section we recall the deﬁnition of (left) group code and the intrinsical characterization given in [BRS]. We also recall the deﬁnition of aﬃneinvariant code and the description of its group of permutation automorphisms given in [BCh]. All throughout F is a ﬁeld of order a power of p, where p is a prime number. The ﬁnite ﬁeld with ps elements is denoted by Fps . For a group G, we denote by FG the group ring of G with coeﬃcients in F. All the group theoretical notions used in this paper can be easily founded in [R]. Definition 1. If E is the standard basis of Fn , C ⊆ Fn is a linear code and G is a group (of order n) then we say that C is a Gcode if there is a bijection
Research supported by D.G.I. of Spain and Fundaci´ on S´eneca of Murcia.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 101–106, 2009. c SpringerVerlag Berlin Heidelberg 2009
102
´ del R´ıo, and J.J. Sim´ J.J Bernal, A. on
φ : E → G such that the linear extension of φ to an isomorphism φ : Fn → FG maps C to an ideal of FG. A group code is a linear code which is a Gcode for some group G. A cyclic group code (respectively, abelian group code, solvable group code, etc) is a linear code which is Gcode for some cyclic group G (respectively, abelian group, solvable group, etc). Let Sn denote the group of permutations of n symbols. Every σ ∈ Sn deﬁnes an automorphism of Fn in the obvious way, i.e. σ(x1 , . . . , xn ) = (xσ−1 (1) , . . . , xσ−1 (n) ). By deﬁnition, the group of permutation automorphisms of a linear code C of length n is PAut(C) = {σ ∈ Sn : σ(C) = C}. An intrinsical characterization of group codes C in terms of PAut(C) has been obtained in [BRS]. Four our purposes we only need to consider abelian groups. So we record in the following theorem the specialization of [BRS, Theorem 1.2] to abelian groups. Theorem 1. [BRS] Let C be a linear code of length n over a ﬁeld F and G a ﬁnite abelian group of order n. Then C is a Gcode if and only if G is isomorphic to a transitive subgroup H of Sn . In the remainder of the paper we assume that I = Fpm . Often we will be only using the underlying additive structure of I; for example, FI is the group algebra of this additive group with coeﬃcients in F. Let S(I) denote the group of permutations of I. Every element of S(I) induces a unique Flinear bijection of the group algebra FI. For an Fsubspace C of FI, let PAut(C) = {σ ∈ S(I) : σ(C) = C}. An aﬃneinvariant code is an Fsubspace C of FI formed by evenlike words such that PAut(C) contains the maps of the form x ∈ I → αx + β, with α ∈ I ∗ = {a ∈ I : a = 0} and β ∈ I. These maps are called aﬃne transformations of I. m Observe that if Fp is identiﬁed with FI via some bijection from {1, . . . , pm } to I, then the linear codes of length pm correspond to subspaces of FI in such a way that the groups of permutations automorphisms agree. Therefore if C is a subspace of FI and G is a group then C is a left Gcode if and only if PAut(C) contains a regular subgroup H of S(I) isomorphic to G and it is a Gcode if H can be selected such that CS(I) (H) ⊆ PAut(C). Aﬃneinvariant codes can be seen as extended cyclic codes. Recall that a cyclic code C of length n over F is a subspace of Fn which is closed under cyclic permutations, that is if (x1 , x2 , . . . , xn−1 , xn ) is an element of C then so is (xn , x1 , x2 , . . . , xn−1 ). Cyclic codes are cyclic group codes via the bijection φ : E → G given by φ(ei ) = g i−1 , where E = {e1 , . . . , en } is the standard basis of Fn and G is a cyclic group of order n generated by g. Conversely, any ideal of the group algebra FG, with G a cyclic group of order n can be seen as a cyclic code with a suitable identiﬁcation of the elements of G with the coordinates. The zeroes of a cyclic code C of length n are the nth roots of unity α such that x0 + x1 α + x2 α2 + · · · + xn−1 αn−1 = 0, for every (x0 , x1 , . . . , xn−1 ) ∈ C.
There Are Not Nonobvious Cyclic Aﬃneinvariant Codes
103
It is well known that every cyclic code is uniquely determined by its zeroes and conversely, if ζ is a primitive nth root of unity and D is a union of qcyclotomic classes modulo n then there is a unique qary cyclic code of length n whose set of zeroes is {ζ i : i ∈ D}. Let C ⊆ FI be an aﬃneinvariant code and let C ∗ denote the code obtained by puncturing C at the coordinate labelled by 0. The permutation automorphisms of C which ﬁx 0 induces permutation automorphisms of C ∗ . In particular, PAut(C ∗ ) contains the maps of the form x → αx, for α ∈ I ∗ . This maps form a cyclic group isomorphic to the group of units of the ﬁeld I. So, C ∗ is a cyclic group code and C is the extended code obtained by adding a parity check coordinate. However not every code obtained by extending a cyclic code of length pm − 1 is aﬃneinvariant. We recall a characterization of Kasami, Lin and Peterson of the extended cyclic codes which are aﬃneinvariant in terms of the roots of the cyclic code [KLP1]. The padic expansion ofa nonnegative integer x is the list of integers (x0, x1 , . . . ) with 0 ≤ xi < p and x = i≥0 xi pi . The padic expansion yields a partial ordering in the set of positive integers by setting x y if xi ≤ yi , for every i, where (xi ) and (yi ) are the padic expansions of x and y, respectively. Let n = pm − 1 and let α be a primitive element of I, i.e. a generator of I ∗ . Identify the standard basis of Fn , E = {e1 , . . . , en }, with I ∗ via the map ei → αi−1 . A cyclic code C ∗ of length n is determined by the following set DC ∗ = {i : 0 ≤ i < n, αi is a zero of C ∗ }. Since C ∗ is a qary cyclic code, with q = pr , the set DC ∗ is invariant under multiplication by q modulo n, that is, DC ∗ is a union of qcyclotomic classes modulo n. Conversely, every union D of qcyclotomic classes modulo n, yields to a uniquely deﬁned cyclic code C ∗ of length n with D = DC ∗ . If C ∗ is a cyclic code and C is its corresponding extended code then the deﬁning set of C is by deﬁnition DC = DC ∗ ∪ {0} if 0 ∈ DC , and DC = DC ∗ ∪ {n} if 0 ∈ DC ∗ . Proposition 1. [KLP1][Hu, Corollary 3.5] Let C ∗ be a cyclic code of length n = pm − 1 and C the extended code of C ∗ . Then C is aﬃneinvariant if and only if DC satisfy the following condition for every 1 ≤ s, t ≤ n: s t and t ∈ DC
⇒
s ∈ DC .
(1)
The trivial code and the repetition code of length n are cyclic with deﬁning sets {0, 1, 2, . . . , n − 1} and {1, 2, . . . , n − 1} respectively. Their duals, i.e. Fn and the space of all the evenlike words, are also cyclic nwith deﬁning sets ∅ and {0}. Recall that a word (x1 , . . . , xn ) is evenlike if i=1 xi = 0. When n = pm − 1, except for the last one, all the others give rise to aﬃneinvariant codes of length pm : the trivial code, the repetition code and the code formed by the evenlike words. These three codes are known as the trivial aﬃneinvariant codes. For future use we describe the aﬃneinvariant codes of length 4.
104
´ del R´ıo, and J.J. Sim´ J.J Bernal, A. on
Example 1 (Aﬃneinvariant codes of length 4). Let D be the deﬁning set of an aﬃneinvariant code C of length 4 over F2r . Then C is trivial as an aﬃneinvariant code if and only if D is either {0}, {0, 1, 2} or {0, 1, 2, 3}. Since D is invariant by multiplication by 2r modulo 3 and satisﬁes condition (1), if r is odd then there are not non trivial aﬃneinvariant codes. However, if r is even then there are two nontrivial aﬃneinvariant codes with deﬁning sets {0, 1} and {0, 2} respectively. If C is a trivial aﬃneinvariant code then PAut(C) = Sn , and therefore C is Gcode for every group G of order pm . So to avoid trivialities, in the remainder of the paper all the aﬃneinvariant codes are suppose to be nontrivial. The group of permutations of a (nontrivial) aﬃneinvariant code has been described by Berger and Charpin [BCh]. In order to present their description we need to introduce some notation. We use the notation N G to represent a semidirect product of N by G via some action of G on N , which is going to be clear from the context. That is, N and G are groups and there is a group homomorphism σ : G → Aut(N ) associating g ∈ G to σg . The underlying set of N G is the direct product N × G and the product is given by (n1 , g1 )(n2 , g2 ) = (n1 σg1 (n2 ), g1 g2 ). For every dm let GL(IFpd ) and Aﬀ d (I) denote the groups of linear and aﬃne transformations of I as vector space over Fpd . The group of Fpd automorphisms of the ﬁeld I is denoted by Gal(I/Fpd ). We identify every element y ∈ I with the translation x → x + y. Then Aﬀ d (I) = I GL(IFpd ). Given two divisors a and b of m with ba, let Ga,b = {f ∈ GL(IFpb ) : f is τ − semilinear for some τ ∈ Gal(Fpa /Fpb )}. We claim that Ga,b = GL(IFpa ), Gal(I/Fpb ) . Indeed, if f is τ semilinear with τ ∈ Gal(Fpa /Fpb ) then τ is the restriction of σ for some σ ∈ Gal(I/Fpb ) and f σ −1 ∈ GL(IFpa ). Theorem 2. [BCh, Corollary 2] Let C be a nontrivial aﬃneinvariant code of length pm over Fq , with q = pr . Let a = a(C) = min{dm : Aﬀ d (I) ⊆ PAut(C)}, b = b(C) = min{d ≥ 1 : pd DC = DC } Then br, bam and PAut(C) = Aﬀ a (I), Gal(I/Fpb ) = I Ga,b . A method to compute a(C) and b(C) was ﬁrstly obtained by Delsarte [D]. Later, Berger and Charpin founded two alternative methods to calculate a(C) and b(C) which are sometimes computationally simpler [BCh].
2
Aﬃneinvariant Cyclic Group Codes
Let C be an aﬃneinvariant code. Then C is an Icode, since the group of translations of I (which we have identiﬁed with the additive group I) is a transitive
There Are Not Nonobvious Cyclic Aﬃneinvariant Codes
105
subgroup of S(I) contained in PAut(C). So every aﬃneinvariant code is an elementary abelian group code. In particular, if the length of C is prime then C is a cyclic group code. Next result shows that this one is the only type of nontrivial aﬃneinvariant cyclic group codes. Theorem 3. A nontrivial aﬃneinvariant code is permutation equivalent to a cyclic code if and only if it has prime length. Proof. Assume that C is a non trivial aﬃneinvariant code of length pm which is permutation equivalent to a cyclic code. Then C is a cyclic group code. By Theorem 1, this implies that G = PAut(C) contains a cyclic subgroup of order pm or equivalently G contains an element of order pm . Let a = a(C), b = b(C), as in Theorem 2 and h = m/a. Let pt be the maximum pth power dividing a/b, and pu the minimum pth power greater or equal than h. We ﬁrst show that the existence of an element g of order pm in G implies a strong relation on these parameters which reduces to some few cases. By Theorem 2, G = I Ga,b . Furthermore H = I GL(IFpa ) is a normal subgroup of index a/b in G. Since the order of G is a pth power and pt is t the maximum pth power dividing a/b, g p is an element of order pm−t in H. Furthermore, H is isomorphic to Fhpa GLh (Fpa ), where GLh (Fpa ) is the group of invertible h × h matrices with entries in Fpa . Therefore there is an element (x, A) ∈ Fhpa GLh (Fpa ) of order pm−t . This implies that A has order pk with m − t − 1 ≤ k. Since the order of A is a power of p, and the ﬁelds of characteristic p do not have elements of orden p, the only eigenvalue of A is 1. We may assume that A is given in Jordan form and hence A = I + N where N is an upper u triangular matrix with zeroes in the diagonal. Then N p = 0 and therefore u Ap = I. Thus m − t − 1 ≤ k ≤ u = logp (h) and we conclude that m ≤ 1 + t + logp (h) < 2 + logp (a) + logp (h) = 2 + logp (m).
(2)
We have to prove that m = 1. Otherwise, (2) implies that either m = 2 or m = 3 and p = 2. Case 1: m = 2. We claim that in this case p = 2. Indeed, if p > 2 then 0 < logp (2) < 1 and t = 0, since pt divides m = 2. Hence 2 = m ≤ 1 + logp (h) ≤ 1 + logp (m) = 2 and so h = 2. Hence (x, A) is an element of order p2 in F2p GL2 (Fp ). Thus there are 1y x1 , x2 , y ∈ Fp such that ((x1 , x2 ), A)p = (0, 1), where A = . However 01 p−1 p ((x1 , x2 ), A)p = (x + iyx ), py , A 1 2 i=0 p(p−1) = yx , 0 , 1 = (0, 1), 2 2 which is the desired contradiction. Hence p = 2 and so C has length 4. Since C is nontrivial as aﬃneinvariant code, by Example 1, r is even and DC = {0, 1} or {0, 2}. By the deﬁnition of b(C) we have b = 2 and hence a = 2. We deduce that PAut(C) = I F∗4 . Hence
106
´ del R´ıo, and J.J. Sim´ J.J Bernal, A. on
I F2p is the only subgroup of order 4 of PAut(C) and we conclude that C is not cyclic group code. Case 2: m = 3 and p = 2. Then t = 0 and 3 ≤ 1 + log2 (h) ≤ 1 + log2 (m) = 3, by (2). Thus h = 3, or equivalently a = 1 and hence b = 1. Thus (x, A) is an element of order 8 in F32 GL3 (F2 ). Then u = log2 (3) = 2 and so A4 = 1. If A2 = 1 then x4 = 1, a contradiction. Therefore A is a Jordan matrix of order 4 and thus ⎛ ⎞ 110 A = ⎝0 1 1⎠ 001 However I + A + A2 + A3 = 0. Then (x, A)4 = ((I + A + A2 + A3 )x, A4 ) = (0, 1), a contradiction.
References [BCh]
Berger, T.P., Charpin, P.: The Permutation group of aﬃneinvariant extended cyclic codes. IEEE Trans. Inform. Theory 42, 2194–2209 (1996) ´ Sim´ [BRS] Bernal, J.J., del R´ıo, A., on, J.J.: An intrinsical description of group codes. Designs, Codes, Cryptog. (to appear), doi:10.1007/s106230089261z [ChL] Charpin, P., LevyDitVehel, F.: On Selfdual aﬃneinvariant codes, J. Comb. Theory, Series A 67, 223–244 (1994) [D] Delsarte, P.: On cyclic codes that are invariant under the general linear group. IEEE Trans. Inform. Theory IT16, 760–769 (1970) [Ho] Hou, X.D.: Enumeration of certain aﬃne invariant extended cyclic codes. J. Comb. Theory, Series A 110, 71–95 (2005) [Hu] Huﬀman, W.C.: Codes and groups. In: Pless, V.S., Huﬀman, W.C., Brualdi, R.A. (eds.) Handbook of coding theory, vol. II, pp. 1345–1440. NorthHolland, Amsterdam (1998) [KLP1] Kasami, T., Lin, S., Peterson, W.W.: Some results on cyclic codes which are invariant under the aﬃne group and their applications. Information and Control 11, 475–496 (1967) [KLP2] Kasami, T., Lin, S., Peterson, W.W.: New generalizations of the ReedMuller codes part I: primitive codes. IEEE Trans. Inform. Theory IT14, 189–199 (1968) [R] Robinson, D.J.S.: A course in the theory of groups. Springer, Heidelberg (1996)
On Selfdual Codes over Z16 Kiyoshi Nagata , Fidel Nemenzo, and Hideo Wada Department of Business Studies and Informatics, Daito Bunka University, Tokyo, Japan [email protected] Institute of Mathematics, University of the Philippines, Quezon City, Philippines [email protected] Faculty of Science and Technology, Sophia University, Tokyo, Japan [email protected]
Abstract. In this paper, we look at selfdual codes over the ring Z16 of integers modulo 16. From any doubly even selfdual binary code, we construct codes over Z16 and give a necessary and suﬃcient condition for the selfduality of induced codes. We then give an inductive algorithm for constructing all selfdual codes over Z16 , and establish the mass formula, which counts the number of such codes. Keywords: Selfdual codes, Doubly even codes, Finite rings, Mass formula.
1
Introduction
There has been much interest in codes over the ring Zm of integers modulo m and ﬁnite rings in general, since the discovery [5] of a relationship between nonlinear binary codes and linear quaternary codes. By applying the Chinese Remainder Theorem [2] to selfdual codes over Zm , it suﬃces to look at codes over integers modulo prime powers. We consider the problem of ﬁnding the mass formula, which counts the number of selfdual codes of given length. In [4], Gaborit gave a mass formula for selfdual quaternary codes. This was generalized in [1] to the ring Zp2 and in [6] to Zp3 for all primes p. In [7], we gave a mass formula over Zps in [7] for any odd prime p and any integer s ≥ 4. In this paper, we will give an inductive algorithm for constructing selfdual codes over Z16 from a given binary code. As a consequence, we obtain a mass formula for such codes. A code of length n over a ﬁnite ring R is an Rsubmodule of Rn . Elements of codes are called codewords. Associated to a code C is a generator matrix, whose rows span C and are linearly independent in binary case. Two codewords as vectors) are orthogonal if x = (x1 , . . . , xn ) and y = (y1 , . . . , yn ) (considered their Euclidean inner product x · y = i xi yi is zero. The dual C ⊥ of a code C over a ring R consists of all vectors of Rn which are orthogonal to every codeword in C. A code C is said to be selfdual (resp. selforthogonal) if C = C ⊥ (resp. C ⊆ C ⊥ ).
Corresponding author.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 107–116, 2009. c SpringerVerlag Berlin Heidelberg 2009
108
2
K. Nagata, F. Nemenzo, and H. Wada
Construction of Selfdual Codes over Z16
Every code C of length n over Z16 has a generator matrix which, after a suitable permutation of coordinates, can be written as ⎡ ⎤ ⎡ ⎤ T1 Ik1 A11 A12 A13 A14 ⎢ 2T2 ⎥ ⎢ 0 2Ik2 2A22 2A23 2A24 ⎥ ⎥ ⎢ ⎥ C=⎢ ⎣ 22 T3 ⎦ = ⎣ 0 0 22 Ik3 22 A33 22 A34 ⎦ , 23 T4 0 0 0 23 Ik4 23 A44 where Iki is the ki × ki identity matrix, and the other matrices Aij ’s (1 ≤ i ≤ j ≤ 4) are considered modulo 2j−i+1 . The columns are grouped in blocks of sizes k1 , k2 , k3 , k4 and k5 , with n = k1 + k2 + k3 + k4 + k5 . In [7] we showed that C is selfdual if and only if k1 = k5 , k2 = k4 and Ti Tjt ≡ 0 (mod 26−i−j ) for i and j such that 1 ≤ i ≤ j ≤ 4 and i + j ≤ 5. We showed in [7] that selfdual codes over the ring Zps are induced from codes over the ring Zps−2 , for any odd prime p and integer s ≥ 4. In this paper we look at the case when p = 2 and show that selfdual codes over Z24 can be constructed from a code over Z22 represented by a generator matrix ⎤ ⎡ T1 ⎣ T2 ⎦ (mod 22 ), 2T3 where T1 has some generator vectors t1 , ..., tk1 such that ti · ti ≡ 0 (mod 23 ) for all i = 1, ..., k1 . Such a representation of a quaternary code is called T1 doubly even. We thus construct selfdual codes over Z24 from doubly even selfdual binary codes via the following constructive scheme diagram ⎤ ⎡ ⎤ ⎡ T1
T1 ⎢ 2T2 ⎥ ⎢ 2 ⎥ (mod 24 ) ← ⎣ T2 ⎦ (mod 22 ) ← T1 (mod 2), ⎣ 2 T3 ⎦ T2 2T 3 23 T4 where Ti ’s are composed of linearly independent binary codewords as row vectors and [Ti ] denotes the code generated by Ti . In the right of the diagram above, the boldface symbols denote doubly even binary codes. The boldface part in the middle of the diagram, T1 , denotes the T1 doubly even representation. In [4] Gaborit gave the number of doubly even selfdual binary codes of size n and dimension k1 + k2 , and from this we obtain a mass formula for counting the number of T1 doubly even representations of quaternary codes induced from a given doubly even selfdual binary code. We start with a doubly even selfdual binary code C0 of size n and of dimension k1 + k2 , and divide it into two subspaces of dimension k1 and k2 . The number k 1 −1 2k1 +k2 −i − 1 . The code C0 can be of such divisions is ρ(k1 + k2 , k1 ) = 2k1 −i − 1 i=0 represented as
On Selfdual Codes over Z16
C0 =
(0)
T1 (0) T2
=
109
(0) (0) (0) (0) Ik1 A11 A12 A13 A14 (0) (0) (0) , 0 Ik2 A22 A23 A24
(0)
where the A∗ are considered modulo 2. (0) Though A11 is supposed to be 0 in a usual binary code basis expression, we (0) should remark that some A11 is necessary, since we consider it mod 2 in the lifted quaternary expression. These diﬀerences are counted in ρ(k1 + k2 , k1 ). By a suitable permutation of columns, we can assume that the binary square matrix (0) (0) A13 A14 (0) and A14 are invertible. (0) (0) A23 A24 Next we construct a quaternary code C1 , represented by ⎤ ⎤ ⎡ (0) (0) (1) (0) (1) (0) (1) Ik1 A11 A12 + 2A12 A13 + 2A13 A14 + 2A14 T1 ⎢ (0) (0) (1) (0) (1) ⎥ C1 = ⎣ T2 ⎦ = ⎣ 0 Ik2 A22 A23 + 2A23 A24 + 2A24 ⎦ . (0) (0) 2T3 0 0 2Ik3 2A33 2A34 ⎡
(1)
Here we notice that A12 is necessary, since 2Ik3 becomes 22 Ik3 in the extended code over Z24 . There are two conditions for C1 to be selfdual, and the ﬁrst is
T1 T t ≡ 0 (mod 2). T2 3
(0) (0) t A13 A14 (0) (0) This implies that (mod 2), thus Ik3 ≡ A33 A34 (0) (0) A23 A24 ⎛ −1 ⎞t (0) (0) (0) A13 A14 A12 ⎠ (0) (0) . A33 A34 is uniquely determined as ⎝ (0) (0) (0) A23 A24 A22
(0) (1) (0) T1 T1 T1 T1 Let = (0) + 2 (1) where (0) is a given doubly even selfdual T2 T2 T T2
2
(1) (1) (1) (1) 0 0 A12 A13 A14 T1 is a binary code. binary code and (1) = (1) (1) T2 0 0 0 A23 A24 Then the selfdual quaternary code has a T1 doubly even representation if (0)
A12 (0) A22
(0)
T1 (0) T2
(0)
T1 (0) T2
t
t
t (0) (1) (1) (1) T1 T1 T1 2 T1 + 2 (0) +2 ≡0 (1) (1) (1) T2 T2 T2 T2
(1)
:= X + X t and the modulus of congruence is 8 only for the diagonal where X entries and 4 otherwise.
110
K. Nagata, F. Nemenzo, and H. Wada (j)
We describe some parts of Ti ’s using binary row vectors such as
(0) A12 (0) A22
(0) A13 (0) A23
(0) A14 (0) A24
⎞ ⎛ ⎞ ∗ a1 a1 ⎟ ⎜ ⎟ ⎜ = ⎝ ... ⎠ = ⎝ ... ... ⎠ , ak ∗ ak ⎛
(1) A12
0
(1) A13 (1) A23
(1) A14 (1) A24
⎞ x1 ⎟ ⎜ = ⎝ ... ⎠ , xk ⎛
where a’s and x’s are of size k3 + k2 + k1 = k3 + k , a ’s are of size k2 + k1 = k . Put xi = (0 xi ) for k1 + 1 ≤ i ≤ k with xi of size k . Dividing the left hand side of congruence (1) by 2, we get (fij ) + (ai · xj + aj · xi ) + 2(xi · xj ),
t (0) (0) T1 T1 with = (2fij ). Thus the selfdual quaternary code C1 has a (0) (0) T2 T2 T1 doubly even representation if
fij 1 2 fii
≡ a i · xj + a j · xi ≡ ai · xi + xi · xi = (ai + 1) · xi
(i < j) (i = 1, ..., k1 )
where the congruence modulus is 2, and 1 = 1k3 +k denotes the all1 vector of size k3 + k . The ﬁrst condition together with the doubly even assumption for C0 is a necessary and suﬃcient condition for the selfduality of the quaternary code C1 , while the second condition is for the T1 doubly even presentation of C1 . We now consider the equation in the following matrix representation. To illustrate, we give such matrix representation for the case when k1 = 2 and k2 = 1. We have ⎛ ⎛ ⎞ ⎞ a1 + 1 g1 ⎛ ⎞ ⎜ ⎜g ⎟ ⎟ xt1 a2 + 1 ⎜ ⎟⎝ t ⎠ ⎜ 2 ⎟ a a ⎜ ⎟ x2 ≡ ⎜ f12 ⎟ , 2 1 ⎝ a ⎝f ⎠ a1 ⎠ xt 3 13 3 a3 a2 f23 where gi := 12 fii (i = 1, 2) and the modulus of congruence is 2. In general, if M is the coeﬃcient matrix in the equation, then the number of row vectors in M is 12 k (k − 1) + k1 with the size of each row equal to (k + k3 ) × k1 + k × k2 = k 2 + k1 k3 . We compute the rank of M . From the deﬁnition, the ranks of (ai ) and (ai ) are both equal to k . Any linearly dependent equation of row vectors in M must not contain any ai ’s and must contain at least one ai + 1. Thus we can assume that ai1 + · · · + aim ≡ 1 for some 1 ≤ i1 < · · · < im ≤ k1 .
(mod 2)
On Selfdual Codes over Z16
111
Going back to the starting code C0 , we write it as ⎞ ⎛ ⎞ ⎛ (0) e1 a1 a1 a1 (0) ⎜ .. .. .. ⎟ .. ⎟ ⎜ ⎟ ⎜ Ik1 A11 ⎟ ⎜ . . . ⎟ . ⎜ ⎜ ⎟ ⎜ ⎟ (0) ⎜ ⎟ ak1 ⎟ ⎜ ek1 ak ak1 ⎟ 1 =⎜ C0 = ⎜ ⎟. ⎜ ⎟ ak1 +1 ⎟ ⎜ 0 e1 ak1 +1 ⎟ ⎜ ⎜ ⎟ ⎜ ⎟ .. ⎜ . .. .. ⎟ ⎝ 0 Ik2 . ⎠ ⎝ .. . . ⎠ ak 0 ek2 ak The selfduality of this code implies that for any j (1 ≤ j ≤ k2 ) (0)
(0)
(0)
(0)
0 ≡ ((ai1 ai1 ) + · · · + (aim aim )) · (ej ak1 +j ) ≡ (ai1 + · · · + aim ) · ej + 1 (0)
(0)
using the equation 0 ≡ (ej ak1 +j ) · (ej index j ranges from 1 to k2 , we have (0)
ak1 +j ) = 1 + ak1 +j · ak1 +j . As the
(0)
ai1 + · · · + aim ≡ 1k2 , and (0)
(0)
(ai1 ai1 ) + · · · + (aim ais ) ≡ 1k2 +(k3 +k ) . Again from the selfduality of C0 , we have for any j (1 ≤ j ≤ k1 ) (0)
(0)
(0)
0 ≡ ((ei1 ai1 ai1 ) + · · · + (eim aim aim )) · (ej aj ≡ (ei1 + · · · + eim ) · ej + 1. (0)
(0)
For the second congruence, we used 0 ≡ (ej aj aj )·(ej aj (0) (aj
aj ) (0)
aj ) = 1+(aj
aj )·
aj ). As the index j ranges from 1 to k1 , we have ei1 + · · · + eim ≡ 1k1 .
Therefore we see that {i1 , ..., im } = {1, ..., k1 } and there is one possible linearly dependent equation in M only when (0)
(e1 a1
(0)
a1 ) + · · · + (ek1 ak1 ak1 ) = 1n ,
which is equivalent to 1n ∈ T1 . So the rank of M is 12 k (k − 1) + k1 − with (0) 1 if 1 ∈ T1 = (2) 0 otherwise. (0)
In the case when = 1, the doubly even quaternary code T1 contains 1 + 2x and 0 ≡ (1 + 2x) · (1 + 2x) = n + 4(1 · x + x · x) = n + 8x · x ≡ n
(mod 8).
We need to check whether the simultaneous congruent equations represented in the matrix have a solution or not. We do this by computing the sum of
112
K. Nagata, F. Nemenzo, and H. Wada
constants in the righthand side corresponding to the rows in M which contain, for i = 1, ..., k1 , either ai + 1 or ai : k1
k k1 1 −1 gi + fij i=1 i=1 j=i+1 ⎛ k1 1 (0) (0) ≡ ⎝ (ei ai ai ) · (ei ai ai ) + 2 4 i=1
≡
(0)
ai
(0)
· aj + 2
1≤i<j≤k1
k1 k1 1 1 1 (0) (0) (ei ai ai ) · (ei ai ai ) ≡ 1n · 1n ≡ n 4 i=1 4 4 i=1
⎞
ai · aj ⎠
1≤i<j≤k1
≡ 0 (mod 2).
We now have the following proposition. Proposition 2.1. Let C0 be a doubly even selfdual binary code with the following representation
(0) (0) (0) (0) (0) T1 Ik1 A11 A12 A13 A14 C0 = (0) = (0) (0) (0) . T2 0 Ik2 A22 A23 A24 If λ(k1 , k2 , k3 ) denotes the number of T1 doubly even selfdual quaternary codes with representation ⎤ ⎤ ⎡ ⎡ (0) (0) (1) (0) (1) (0) (1) Ik1 A11 A12 + 2A12 A13 + 2A13 A14 + 2A14 T1 ⎢ (0) (0) (1) (0) (1) ⎥ (3) C1 = ⎣ T2 ⎦ = ⎣ 0 Ik2 A22 A23 + 2A23 A24 + 2A24 ⎦ (0) (0) 2T3 0 0 2Ik3 2A33 2A34 then λ(k1 , k2 , k3 ) =
(0)
0 if 1 ∈ T1 1 2 2 k (k +1)−k1 +k1 k3 + otherwise
and 8 n
,
where is defined as in (2). (0)
Proof. If 1 ∈ T1 and 8 n then there are no solutions to the matrix congruent equation. Otherwise, we are free to choose binary values for the entries in the solution column (xti ). If w denotes the size of matrix M minus the rank of M , then w = (k 2 +k1 k3 )−( 12 k (k −1)+k1 −) = 12 k (k +1)−k1 +k1 k3 +. Once a T1 doubly even selfdual quaternary code described in (3) is given, we can construct all the selfdual codes C = [2i Ti ]i=1,...,4 over Z24 , where T1 = (1) (2) (2) (3) (1) (4−i) T1 +22 (0 0 0 A13 A14 )+23 (0 0 0 0 A14 ) Ti = Ti +24−i (0 0 0 0 Ai4 ) for i = 2 (1) and 3, T4 = (0 0 0 Ik1 A44 ), the A∗ ’s are binary matrices and the T∗ ’s represent (0)−1 (0) (1)t T∗ ’s in (3). From the selfduality of C, we have At44 = A14 A13 , A34 = (0)−1 (1) (1)t (2)t (0)−1 (1) (1)t (2) (0)t (2) (0)t A14 (2−1 T1 T3 ) and A24 = A14 (2−2 T1 T2 + A13 A23 + A14 A24 ).
On Selfdual Codes over Z16 (2)
113
(2)
In the third equation A13 and A14 appear but these have not yet been given. (3) We will consider the condition for them and for A14 such as 1 (1) (1)t (2)t (2)t (0) (3)t T T + A 13 A13 + A 14 A14 + 2A14 A14 ≡ 0 22 1 1
mod 22 ,
where A 13 = A13 + 2A13 and A 14 = A14 + 2A14 . (1) (1)t (0) (2)t (2) Now we put (dij ) = 212 T1 T1 + A13 A13 for any k1 × k2 matrix A13 and (0) (2)t (2)t (0)−1 (xij ) = A14 A14 . Then A14 is uniquely determined by A14 (xij ) such that 1 xji ≡ dij − xij mod 2 for i < j and xii ≡ 2 dii (mod 2) . For i > j, the number of free binary values for xij is 12 k1 (k1 − 1). (1) (1)t (2)t (2)t Next we put (fij ) ≡ 12 212 T1 T1 + A 13 A13 + A 14 A14 mod 2 and (0)
(0)
(1)
(3)t
(0)
(1)
(3)t
(0)−1
(yij ) = A14 A14 . Then A14 is uniquely determined by A14 (yij ) where yji = fij − yij for i < j and 12 k1 (k1 + 1) is the number of freely chosen binary values for yij (i ≥ j). Therefore we have the following proposition. Proposition 2.2. For a fixed T1 doubly even selfdual quaternary code described in (3), the number of induced codes over Z24 is 2k1 (k1 +k2 ) .
3
Mass Formula for Selfdual Code over Z16
Now we establish the mass formula. Theorem 3.1. Let N16 (n) denote the number of distinct selfdual codes over Z16 of length n. 1. If n is odd, then n−1
N16 (n) =
2
2
1 2 k (k +1)
−1 k
i=0
k =0
where
δ=
0 1
n−1
2n−2i−2 + (−1)δ 2 2 2i+1 − 1
n ≡ 1, 7 n ≡ 3, 5
−i−1
−1
(mod 8).
2. If n ≡ 2, 6 (mod 8), then n 2 −1
N16 (n) =
k =0
2
1 2 k (k +1)
−1 k
i=0
2n−2i−2 − 1 ρ(k ). 2i+1 − 1
ρ(k ),
114
K. Nagata, F. Nemenzo, and H. Wada
3. If n ≡ 4 (mod 8), then n 2 −2
N16 (n) =
2
1 2 k (k +1)
−1 k
i=0
k =0
n
2n−2i−2 − 2 2 −i−1 − 2 ρ(k ). 2i+1 − 1
4. If n ≡ 0 (mod 8), then n 2 −1
N16 (n) =
2
1 2 k (k +1)
k =0
n
2
+
2
−1 k
n
2n−2i−2 + 2 2 −i−1 − 2 ρ(k ) 2i+1 − 1
i=0 −2 k 1 2 k (k −1)
k =0
i=0
n
2n−2i−2 + 2 2 −i−1 − 2 ρ (k ). 2i+1 − 1
Here
ρ(k ) =
k
2
(n−k −1)k1
k1 =0
with ρ(k , k1 ) =
k 1 −1 i=0
ρ(k , k1 ), and ρ (k ) =
k k1 =0
2(n−k −1)k1
2k1 − 1 ρ(k , k1 ), 2k − 1
2k −i − 1 . 2k1 −i − 1
In the formulas above, we take the value of a product to be 1 whenever the starting index is greater than the limit. Proof. First note that the length n is a multiple of 4 whenever a doubly even binary code containing 1n exists. The number σ1 (n, k) of distinct doubly even selforthogonal binary codes of length n and dimension k containing 1n as well as the number σ2 (n, k) of those which do not contain 1n are explicitly given in the proof of the Theorem 4.1 in [6]. We note that σ2 (n, n2 ) = 0 for any even n and σ2 (n, n2 − 1) = 0 for n ≡ 4 (mod 8). For each binary code C0 of size n and the dimension k , the number of partitions [Ti ] is ρ(k , k1 ) if 1 ∈ T1 and ρ(k − 1, k1 − 1) otherwise. Over each binary code with a given partition, there exist λ(k1 , k2 , k3 ) T1 doubly even representations for quaternary code C1 . And from each such code, we can construct 2k1 k distinct selfdual codes (Proposition 2.2). Thus if 8n, the number of distinct selfdual codes of type (k1 , k2 , k3 ) as described in the left part of the scheme diagram in Section 2 is
(σ2 (n, k )ρ(k , k1 ) + 2σ1 (n, k )ρ(k − 1, k1 − 1)) λ=0 (k1 , k2 , k3 ) × 2k1 k .
Otherwise, the number of such codes is σ2 (n, k )ρ(k , k1 )λ=0 (k1 , k2 , k3 ) × 2k1 k . This is because σ1 (n, k )λ=0 (k1 , k2 , k3 ) = 0 if 8 n, and λ=1 (k1 , k2 , k3 ) = 2λ=0 (k1 , k2 , k3 ) if it is not 0. Except for the case of λ = 0, λ=0 (k1 , k2 , k3 ) = 1 2 2 k (k +1)−k1 +k1 k3 from Proposition 2.1. Then the calculation −k1 + k1 k3 + k1 k = (k3 + k − l)k1 = (n − k − 1)k1 gives us the mass formulas.
On Selfdual Codes over Z16
4
115
Example for n = 8, k1 = 4, and k2 = k3 = 0 ⎛
⎞ 0111 ⎜1 0 1 1⎟ (0) (0) ⎟ Let C0 = I4 A14 with A14 = ⎜ ⎝ 1 1 0 1 ⎠ . Then C0 is a doubly even selfdual 1110 binary code with d(C0 ) = 4 and C0 18 . (0) (1) (1) We then have C1 = I4 A14 + 2A14 with A14 equal to ⎛ ⎞ 1 α1 + α3 + α4 + 1 α1 + α3 + α4 + α6 + α7 α1 ⎜ α2 + α3 + α4 + α5 + α6 1 α2 + α3 + α4 + α6 + α7 + 1 α2 ⎟ ⎜ ⎟, ⎝ α3 + α5 + α6 + 1 α3 1 α4 ⎠ α5 α6 α7 1 where α∗ can be any binary value. For instance, setting⎛α1 = α2 ⎞ = α4 = α5 = α6 = α7 = 0 and α3 = 1, we have 2131 ⎜3 2 1 1⎟ (0) (1) ⎟ C1 with A14 + 2A14 = ⎜ ⎝ 1 3 2 1 ⎠, a doubly even selfdual quaternary code with 1112 Lee distance dL (C1 ) =⎛ 6. ⎞ 4332 ⎜3 4 3 2⎟ ⎟ Computing (dij ) = ⎜ ⎝ 3 3 4 2 ⎠, we have 2222 ⎞ ⎛ 0 x12 x13 x14 0 x23 x24 ⎟ (2)t (0)−1 ⎜ x12 ⎟, where x = 1 − x. A14 = A14 ⎜ ⎝ x13 x23 0 x34 ⎠ 24 −x34 1 ⎛−x14 −x⎞ 0001 ⎜0 0 0 1⎟ ⎟ From (fij ) ≡ ⎜ ⎝ 0 0 0 1 ⎠, we obtain the induced code C over Z16 : 1110 (0) (1) (2) (3) C = I4 A14 + 2A14 + 22 A14 + 23 A14 ⎛
(3)t
with A14
y11 y12 (0)−1 ⎜ = A14 ⎜ ⎝ y13 y14
y12 y22 y23 y24
y13 y23 y33 y34
⎞ y14 y24 ⎟ ⎟. y34 ⎠ y44
References 1. Balmaceda, J., Betty, R., Nemenzo, F.: Mass formula for selfdual codes over Zp2 . Discrete Mathematics 308, 2984–3002 (2008) 2. Dougherty, S., Harada, M., Sol´e, P.: Selfdual codes over rings and the Chinese remainder theorem. Hokkaido Math. J. 28, 253–283 (1999)
116
K. Nagata, F. Nemenzo, and H. Wada
3. Fields, J., Gaborit, P., Leon, J., Pless, V.: All selfdual Z4 codes of length 15 or less are known. IEEE Trans. Inform. Theory 44, 311–322 (1998) 4. Gaborit, P.: Mass formulas for selfdual codes over Z4 and Fq + uFq rings. IEEE Trans. Inform. Theory 42, 1222–1228 (1996) 5. Hammons, A., Kumar, P., Calderbank, A., Sloane, N., Sol´e, P.: The Z4 linearity of Kerdock, Preparata, Goethals and related codes. IEEE Trans. Inform. Theory 40, 301–319 (1994) 6. Nagata, K., Nemenzo, F., Wada, H.: The number of selfdual codes over Zp3 . Designs, Codes and Cryptography 50, 291–303 (2009) 7. Nagata, K., Nemenzo, F., Wada, H.: Constructive algorithm of selfdual errorcorrecting codes. In: Proc. of 11th International Workshop on Algebraic and Combinatorial Coding Theory, pp. 215–220 (2008) ISSN 1313423X
A Nonabelian Group Based on Block Upper Triangular Matrices with Cryptographic Applications ´ Rafael Alvarez, Leandro Tortosa, Jos´e Vicent, and Antonio Zamora Departamento de Ciencia de la Computaci´ on e Inteligencia Artiﬁcial, Universidad de Alicante, Campus de San Vicente, Ap. Correos 99, E–03080, Alicante, Spain [email protected], [email protected], [email protected], [email protected]
Abstract. The aim of this article is twofold. In the ﬁrst place, we describe a special nonabelian group of block upper triangular matrices, and verify that choosing properly certain parameters, the order of the subgroup generated by one of these matrices can be as large as needed. Secondly, we propose and implement a new key exchange scheme based on these primitives. The security of the proposed system is based on discrete logarithm problem although a nonabelian group of matrices is used. The primary advantadge of this scheme is that no prime numbers are used and the eﬃciency is guaranteed by the use of a quick exponentiation algorithm for this group of matrices. Keywords: Polynomial matrices, Block matrices, Quick exponentiation, Cryptography, Public Key.
1
Introduction
A lot of popular publickey encryption systems are based on number theory problems such as factoring integers or ﬁnding discrete logarithms. The underlying algebraic structures are, very often, abelian groups, as we can see in [3,4,16]; this is especially true in the case of the DiﬃeHellman method (DH), that was the ﬁrst practical public key technique and introduced in 1976 (see [8]). In Crypto 2000 [12], Ko et al. proposed a new public cryptosystem based on Braid groups, which are non abelian groups, and it was the ﬁrst practical public key cryptosystem based on non abelian groups. The Discrete Logarithm Problem (DLP, see [7, 15, 20]) is, together with the Integer Factoring Problem (IFP, see [8]), one of the main problems upon which publickey cryptosystems are built. Thus, eﬃciently computable groups where the DLP is hard to break are very important in cryptography. The purpose of this proposal is the analysis and implementation of a key exchange scheme based on a special nonabelian group of block upper triangular matrices. The main idea of this paper is to study the cryptographic behavior M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 117–126, 2009. c SpringerVerlag Berlin Heidelberg 2009
´ R. Alvarez et al.
118
of products of the type M1v M2w , with v, w integers and M1 , M2 elements of the group of matrices previously mentioned. The paper is organized as follows: in Section 2 we present some properties concerning block upper triangular matrices deﬁned over Zp . We will show that they can generate sets of large and known order if parameters are chosen adequately; due to this we study the order of the subgroup generated by a special matrix M ; in Section 3 we describe the design of a key exchange scheme based on the nonabelian group of triangular matrices, for this, we use a especial quick exponentiation method; ﬁnally, some conclusions are given.
2
Preliminaries
Given p a prime number and r, s ∈ N ,we denote by Matr×s (Zp ) the matrices of size r × s with elements in Zp , and by GLr (Zp ) and GLs (Zp ), the invertible matrices of size r × r and s × s respectively. We deﬁne AX Θ= , A ∈ GLr (Zp ), B ∈ GLs (Zp ), X ∈ Matr×s (Zp ) OB Theorem 1. The set Θ has a structure of nonabelian group for the product of matrices. The theorem that follows gives us a method for calculating the powers of this kind of matrices (for details see [6]). AX Theorem 2. Let M = be an element of the set Θ, we consider the OB subgroup generated by the diﬀerent powers of M . Taking h as a non negative integer then h (h) A X h M = , (1) O Bh where X
(h)
=
0 h
h−i XB i−1 i=1 A
if h = 0 if h ≥ 1
(2)
Also, if 0 ≤ t ≤ h then X (h) = At X (h−t) + X (t) B h−t
(3)
X (h) = A(h−t) X (h) + X (h−t) B t .
(4)
As a consequence, in the case t = 1 we have X (h) = AX (h−1) + XB h−1 or X (h) = Ah−1 X + X (h−1) B
A Nonabelian Group Based on Block Upper Triangular Matrices
119
And, taking a, b non negative integers such as a + b ≥ 0, we have X (a+b) = Aa X (b) + X (a) B b
(5)
It is very important to achieve a high order of the group. With this aim, the following construction (see [11, 13]) guarantees a certain order. Let f (x) = a0 + a1 x + · · ·+ an−1 xn−1 + xn a monic polynomial in Zp [x], whose companion n × n matrix is ⎤ ⎡ 0 1 0 ... 0 0 ⎢ 0 0 1 ... 0 0 ⎥ ⎥ ⎢ ⎢ .. .. .. . . .. .. ⎥ ⎢ . . . . . . ⎥ A=⎢ ⎥ . ⎢ 0 0 0 ... 1 0 ⎥ ⎥ ⎢ ⎣ 0 0 0 ... 0 1 ⎦ −a0 −a1 −a2 . . . −an−2 −an−1 If f is an irreducible polynomial in Zp [x], then the order of the matrix A is equal to the order of any root of f in Fpn and the order of A divides pn − 1 (see [14]). Moreover, assuming that f is a primitive polynomial in Zp [x], the order of A is exactly pn − 1. Odoni, Varadharajan and Sanders [19] propose an extended scheme based on the construction of block matrices like this ⎤ ⎡ A1 0 . . . 0 ⎢ 0 A2 . . . 0 ⎥ ⎥ ⎢ A=⎢ . . . ⎥ , ⎣ .. .. . . . .. ⎦ 0 0 . . . Ak where Ai is the companion matrix of fi , and fi , for i = 1, 2, . . . , k, are diﬀerent primitive polynomials in Zp [x] of degree ni , for i = 1, 2, . . . , k, respectively. The order of Ai is pni − 1, for i = 1, 2, . . . , k. Therefore, the order of A is lcm(pn1 − 1, pn2 − 1, . . . , pnk − 1). With the aim of using this type of matrix in a public key cryptosystem, Odoni, Varadharajan and Sanders conjugate this matrix A with an invertible matrix P of size n × n, with n = n1 + n2 + . . . + nk , obtaining a new matrix A = P AP −1 that has the same order as A. If we construct the blocks A and B of M ∈ Θ using primitive polynomials, we can guarantee a very high order. Let f (x) = a0 + a1 x+ · · ·+ ar−1 xr−1 + xr , g(x) = b0 + b1 x+ · · ·+ bs−1 xs−1 + xs be two primitive polynomials in Zp [x] and A, B the corresponding companion matrices. Let P and Q be two invertible matrices, such that A = P AP −1 and B = QBQ−1 . With this construction, the order of M is lcm(pr − 1, ps − 1). Using cyclotomic ﬁelds theory we know that the polynomial xn − 1 is divided by xd − 1 if dn; therefore, if we choose r and s such that they are relatively prime, the number of common divisors is diminished and the lcm(pr − 1, ps − 1) will be maximum. Table 1 shows a comparison of the variation of the order of M depending on the value of p, r and s, where r and s are the sizes of blocks A and B respectively.
120
´ R. Alvarez et al. Table 1. Order of M depending of r, s and p r
s
2 3 3 4 5 31 47 60 130 216
3 4 5 5 6 32 48 61 131 217
p Order of M 2200 2200 2200 2200 2200 29 29 29 29 29
2800 21200 21400 21600 22000 2302 2457 2584 21264 22099
Given the excellent cryptographic properties of block upper triangular matrices, we will see an aplication of this set to public key cryptography.
3
Cryptographic Application: A Key Exchange Scheme
The DLP ( [17]) for a set G is ﬁnding, given α, β ∈ G, a nonnegative integer x (if it exists) such that β = αx . The smallest such integer x is called the discrete logarithm of β to the base α, and is written x = logα β. Clearly, the discrete logarithm problem for a general group G is exactly the problem of inverting the exponentiation function (see [18] for more information). This is especially true for the DiﬃeHellman method ( [8]), that was the ﬁrst practical public key technique to be published. The security of this method for key exchanges, is based on the discrete logarithm problem, and it uses a prime number p and a primitive element r ∈ Zp . Privacy or security of messages is not the only problem area in cryptology. It is also important that user identity can be authenticated. Digital signature is a property of asymmetric cryptography, that allows authentication. It consists of two processes: signing a message and verifying a message signature; and it must depend on the message to be signed. The method presented in this section uses a nonabelian group based on the powers of a block upper triangular matrix, which is a very ﬂexible technique. A1 X1 A2 X2 and M2 = be two elements of the set Θ with Let M1 = 0 B1 0 B2 orders m1 and m2 respectively. We deﬁne the following notation for a pair of numbers x, y ∈ N: Axy = Ax1 Ay2 , Bxy = B1x B2y and
(y)
(x)
Cxy = Ax1 X2 + X1 B2y .
A Nonabelian Group Based on Block Upper Triangular Matrices
121
If two users U and V wish to exchange a key, they may execute the following steps: 1. U and V agree on p ∈ N and M1 , M2 ∈ Θ, with m1 , m2 the orders of M1 and M2 , respectively. 2. U generates two random private keys r, s ∈ N such that 1 ≤ r ≤ m1 − 1, 1 ≤ s ≤ m2 − 1, and computes Ars , Brs , Crs constructing Ars Crs C= . 0 Brs 3. U sends C to V . 4. V generates two random private keys v, w ∈ N such that 1 ≤ v ≤ m1 − 1, 1 ≤ w ≤ m2 − 1, and computes Avw , Bvw , Cvw constructing Avw Cvw D= . 0 Bvw 5. V sends D to U . 6. The public keys of U and V are respectively the matrices C and D. 7. U computes (s)
(r)
Ku = Ar1 Avw X2 + Ar1 Cvw B2s + X1 Bvw B2s . 8. V computes (w)
Kv = Av1 Ars X2
(v)
+ Av1 Crs B2w + X1 Brs B2w .
The following theorem shows that Ku = Kv . (s)
(r)
Theorem 3. If Ku = Ar1 Avw X2 + Ar1 Cvw B2s + X1 Bvw B2s (w) (v) and Kv = Av1 Ars X2 + Av1 Crs B2w + X1 Brs B2w , then Ku = Kv . Proof 1. We have Ars Crs Avw Cvw r s C= = M1 M2 , D = = M1v M2w , 0 Brs 0 Bvw M1r =
M2s
(r)
Ar1 X1 0 B1r (s)
As2 X2 = 0 B2s
, M1v =
(v)
Av1 X1 0 B1v
and
M2w
,
(w)
Aw 2 X2 = 0 B2w
.
´ R. Alvarez et al.
122
Let Mu =
M1r DM2s
Av Kv . 0 Bv
Au Ku = 0 Bu
and Mv = M1v CM2w = Then
Mu = M1r DM2s = M1r M1v M2w M2s = M1v M1r M2s M2w = M1v CM2w = Mv and, consequently, Ku = Kv . As we have demonstrated in this theorem, now both U and V share a common and secret key, Ku = Kv = P. The private keys are r, s and v, w, respectively. These keys do not have to be prime numbers (we avoid primality tests). In our key exchange scheme based on block upper triangular matrices, the usage of big powers of matrices is required (see [1]); so the implementation of an eﬃcient and trustworthy quick exponentiation algorithm (see [2, 9, 10, 21]) becomes necessary for the accomplishment of this task. Given n ∈ N, then a ordered set of indices exist I = {i1 , i2 , i3 , i4 , . . . , iq } so that n = 2i1 + 2i2 + 2i3 + . . . + 2iq . In order to compute the powers of A and B, i1 +2i2 +...+2iq
An = A2
i1 +2i2 +...+2iq
Bn = B2
i1
i2
iq
i1
i2
iq
= A2 A2 . . . A2
= B2 B2 . . . B2 ,
we use 0 A2 = A = A0 21 A = AA = A1 2 A2 = A2 A2 = A2 ...... e e−1 e−1 = Ae A2 = A2 A2 That is to say, computing big powers of the blocks A, B of matrices M , is reduced to multiplying matrices quickly. So, for block X we have the following theorem. Theorem 4. Given an integer number n, whose binary decomposition is n=
q
j=1
2ij ,
A Nonabelian Group Based on Block Upper Triangular Matrices
123
and a set of indices I = {i1 , i2 , i3 , i4 , . . . , iq }, we have: X (n) =
q
(k)
(k)
(k)
An1 X (n2 ) B n3
(6)
k=1
Where (k) n1
=
q−k
(q)
2ij , f or k = 1, 2, 3, . . . q − 1, and n1 = 0;
j=1 (k)
n2 = 2iq−k+1 for k = 1, 2, 3, . . . q ;
(k)
n3 =
q
(1)
2ij f or k = 2, 3, . . . q, and n3 = 0.
j=q−k+2
In Alvarez et al. (see [2]) we prove this theorem and we show some examples of its use.
4
Security Analysis
Brute force attacks are infeasible if a suﬃciently big order for M1 and M2 is chosen as, for example, 1024 bits. In the same way, we use big values for the private keys r, s, v, w (about 1024 bits) and due to this, we can avoid MeetintheMiddleAttacks. A widely used algorithm for the cryptanalysis of public key schemes based on matrix powers is due to Menezes and Wu (see [18]). It, basically, establishes the possibility of reducing the full discrete logarithm problem to a series of smaller discrete logarithms over ﬁnite ﬁelds. This algorithm is not viable for the presented scheme since no matrix powers are published. Another technique for eﬀectively cryptanalyzing some schemes based on block upper triangular matrices, has been developed by Climent, Gorla and Rosenthal [5] and is based on the CayleyHamilton theorem. Theorem 5. (CayleyHamilton Theorem). Let a matrix M ∈ GLn (Zp ) and its characteristic equation qM (λ) = det(λIn − M ) = a0 + a1 λ + a2 λ2 + . . . + an−1 λn−1 + λn . Then qM (M ) = a0 + a1 M + a2 M 2 + . . . + an−1 M n−1 + M n = 0n , where In is the identity matrix of size n and 0n the null matrix of the same size. This attack is not viable either, since two diﬀerent matrices with diﬀerent characteristic equations are employed. Let us analyze the ineﬃciency of this type of attack.
124
´ R. Alvarez et al.
Consider
A1 X1 A2 X2 M1 = ∈ Θ , M2 = ∈ Θ, 0 B1 0 B2
be two matrices of sizes n = r + s, and assume that det(λI − M1 ) = 0 and det(λI − M2 ) = 0, then qM1 (λ) = det
λI − A1 −X1 0 λI − B1
= det(λI − A1 ) · det(λI − B1 ) = qA1 (λ) · qB1 (λ) = a0 + a1 λ + a2 λ2 + . . . + an−1 λn−1 + λn , qM2 (λ) = det
λI − A2 −X2 0 λI − B2
= det(λI − A2 ) · det(λI − B2 ) = qA2 (λ) · qB2 (λ) = b0 + b1 λ + b2 λ2 + . . . + bn−1 λn−1 + λn with qM1 (λ) = qM2 (λ). The CayleyHamilton theorem guarantees that qM1 (M1 ) = qM2 (M2 ) = 0, so a0 I + a1 M1 + a2 M12 + . . . + an−1 M1n−1 + M1n = 0, a0 I + a1 M1 + a2 M12 + . . . + an−1 M1n−1 = −M1n , multiplying by M1 a0 M1 + a1 M12 + a2 M13 + . . . + an−1 M1n = −M1n+1 . Replacing the value of M1n a0 M1 + a1 M12 + a2 M13 + . . . + an−1 (−a0 I − a1 M1 − a2 M12 − . . . − an−1 M1n−1 ) = −M1n+1 , and grouping terms we obtain M1n+1 = b0 I + b1 M1 + b2 M12 + . . . + bn−1 M1n−1 . with b0 = a0 an−1 and bi = an−1 ai − ai−1 for i = 1, . . . , n − 1 Following this process for a certain p ≥ n, we have M1p = c0 I + c1 M1 + c2 M12 + . . . + cn−1 M1n−1 ,
(7)
A Nonabelian Group Based on Block Upper Triangular Matrices
125
then
M1p
(p) Ap1 X1 = 0 B1p n−1 (n−1) I0 A1 X1 A1 X1 = c0 + c1 + . . . + cn−1 . 0 B1 0I 0 B1n−1
Consequently, Ap1 = c0 I + c1 A1 + c2 A21 + . . . + cn−1 An−1 , 1 (p) (2) (n−1) , X1 = c1 X1 + c2 X1 + . . . + cn−1 X1 B1p = c0 I + c1 B1 + c2 B12 + . . . + cn−1 B1n−1 . If we proceed like in expression (7), we obtain M2p = d0 I + d1 M2 + d2 M22 + . . . + dn−1 M2n−1 . In the scheme that we are analyzing, we know M1 and M2 so we can set up the following linear system M1r = e1 M1 + e2 M12 + . . . + en−1 M1n−1 , M2v = f1 M2 + f2 M22 + . . . + fn−1 M2n−1 . Since r and s are private keys, coeﬃcients e1 , e2 , . . . , en−1 and f1 , f2 , . . . , fn−1 , as well as the matrices M1r and M2v are unknown, rendering the system unsolvable. Therefore, the Climent, Gorla and Rosenthal technique (see [5]), based on the Cayley Hamilton theorem, cannot be used to obtain a system suitable for cryptanalysis. In order to cryptanalyze this scheme, we must apply square root algorithms to the calculation of discrete logarithms. We can choose the blocks A1 , A2 , B1 and B2 so that the ineﬃciency of this type of attack is guaranteed.
5
Conclusions
We propose a key exchange scheme, based on the behavior of matrix products of the type M1v M2w , where M1 , M2 are elements of a nonabelian group of block upper triangular matrices with a big enough order, being v, w integers. One of the main advantages of this scheme is the absence of big prime numbers, avoiding the need for primality tests. Moreover, the proposed scheme is very eﬃcient since it employs fast exponentiation algorithms for such type of matrices. The presented algebraic structure can be applied to other cryptographic applications in addition to the proposal. It is based on the discrete logarithm problem for matrices and presents the advantage of reducing the required key length for a given level of security. Another advantage is the use of nonprime numbers, which prevents the primality tests that slow cryptographic protocols down.
126
´ R. Alvarez et al.
References 1. Agnew, G.B., Mullin, R.C., Vanstone, S.A.: Fast Exponentiation in GF (2n ). In: G¨ unther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 251–255. Springer, Heidelberg (1988) ´ 2. Alvarez, R., Ferr´ andez, F., Vicent, J.F., Zamora, A.: Applying quick exponentiation for block upper triangular matrices. Applied Mathematics and Computation 183, 729–737 (2006) 3. Anshel, I., Anshel, M., Goldfeld, D.: An algebraic method for publickey cryptography. Mathematical Research Letters 6, 287–291 (1999) 4. Blake, I., Seroussi, G., Smart, N.: Elliptic Curves in Cryptography. London Mathematical Society. Lecture Notes, vol. 265. Cambridge University Press, Cambridge (1999) 5. Climent, J.J., Gorla, E., Rosenthal, J.: Cryptanalysis of the CFVZ cryptosystem. Advances in Mathematics of Communications (AMC) 1, 1–11 (2006) 6. Climent, J.J.: Propiedades espectrales de matrices: el ´ındice de matrices triangulares por bloques. La ra´ız Perron de matrices coc´ıclicas no negativas. Ph.D Thesis, Valencia. Sapin (1993) 7. Coppersmith, D., Odlyzko, A., Schroeppel, R.: Discrete logarithms in GF (p). Algorithmica, 1–15 (1986) 8. Diﬃe, W., Hellman, M.: New directions In Cryptography. IEEE Trans. Information Theory 22, 644–654 (1976) 9. Gathen, J.: Eﬃcient and Optimal Exponentiation in Finite Fields. Computational Complexity 1, MR 94a:68061, 360–394 (1991) 10. Gordon, D.M.: A Survey of Fast Exponentiation Methods. Journal of Algorithms 27, 129–146 (1998) 11. Hoﬀman, K., Kunze, R.: Linear Algebra. PrenticeHall, New Jersey (1971) 12. Ko, K.H., Lee, S.J., Cheon, J.H., Han, J.W., Kang, J.: New Public Key Cryptosystem Unsing Braid Groups. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 166–183. Springer, Heidelberg (2000) 13. Koblitz, N.: A Course in Number Theory and Cryptography. Springer, Heidelberg (1987) 14. Lidl, R., Niederreiter, H.: Introduction to Finite Fields and Their Applications. Cambridge University Press, Cambridge (1994) 15. McCurley, K.: The discret logarithm problem. Cryptology and Computational Number Theory. In: Proceedings of Symposia in Applied Mathematics, vol. 42, pp. 49–74 (1990) 16. Menezes, A., Van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Florida (2001) 17. Menezes, A., Wu, Y.H.: A polynomial representation for logarithms in GF (q). Acta arithmetica 47, 255–261 (1986) 18. Menezes, A., Wu, Y.H.: The Discrete Logarithm Problem in GL(n, q). Ars Combinatoria 47, 22–32 (1997) 19. Odoni, R.W.K., Varadharajan, V., Sanders, P.W.: Public Key Distribution in Matrix Rings. Electronic Letters 20, 386–387 (1984) 20. Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF (p) and its cryptographic signiﬁcance. IEEE Trans. Info. Theory 24, 106–110 (1978) 21. Shuhong, G., Gathen, J., Panario, D., Shoup, V.: Algorithms for Exponentiation in Finite Fields. Journal of Symbolic Computation 296, 879–889 (2000)
Word Oriented Cascade Jump σ−LFSR Guang Zeng, Yang Yang, Wenbao Han, and Shuqin Fan Department of Applied Mathematics, Zhengzhou Information Science and Technology Institute, Zhengzhou 450002, China sunshine [email protected], yangyang [email protected], [email protected], [email protected]
Abstract. Bit oriented cascade jump registers were recently proposed as building blocks for stream cipher. They are hardware oriented designed hence ineﬃcient in software. In this paper word oriented cascade jump registers are presented based on the design idea of bit oriented cascade jump registers. Their constructions make use of special word oriented σ−LFSRs, which can be eﬃciently implemented on modern CPU and only require few memory. Experimental results show that one type of eﬃcient word oriented cascade jump σ−LFSRs can be used as building blocks for software oriented stream cipher. Keywords: Stream Cipher, Linear Feedback Shift Register(LFSR), Cascade Jump LFSR, σ−LFSR, Fast Software Encryption.
1
Introduction
Today stream ciphers are widely used in areas where the combination of security, performance and implementation complexity are of importance. One such area is wireless communication (GSM, 3G, IEEE802.11), where a low gate count in hardware implementation requirements prevail. Another area is eﬃcient software encryption with speed about tens of gigabits per second. This opinion is supported by the eSTREAM project [1], which is an eﬀort to identify new stream ciphers that might be interesting for widespread adoption. LFSR is known to allow fast hardware implementation and produces sequences with a large period and good statistical properties. But the inherent linearity of these sequences results in susceptibility to algebraic attacks [2,3]. A wellknown method to resist that is clock control. Due to the traditional clock control mechanism that either controls the LFSR irregularly clocking or shrinks or thins the output, clock controlled LFSRs have decreased rate of sequence generation since such LFSRs are usually stepped a few times to produce just one bit. A more eﬀective method is dynamic feedback control, which is used in stream
This work has been supported by a grant from the National High Technology Research and Development Program of China (No.2006AA01Z425), and National Natural Science Foundation of China (No.90704003, No.60503011), and National Basic Research Program of China (No.2007CB807902).
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 127–136, 2009. c SpringerVerlag Berlin Heidelberg 2009
128
G. Zeng et al.
cipher Pomaranch [4]. Pomaranch is a hardware oriented stream cipher and the core part is made of several bit oriented cascade jump registers [5], which was presented at SASC2004 Workshop. The main idea of cascade jump register [6] is to move the state of LFSR to another one over more than one step without having to step through all the intermediate states. The nature of cascade jump register is bit oriented design, so it is suitable for hardware implementation while its software implementation is ineﬃcient. The recent trend in software oriented stream cipher is towards word oriented design such as Sober [7], Snow [8], Sosemanuk [9] and etc. This allows them not only to be eﬃciently implemented in software but also to increase the throughput since words instead of bits output. σ−LFSRs [10,11] are one type of eﬃcient word oriented LFSRs, which are constructed by few fundamental instructions of modern processor and hence have high software eﬃciency. Combining the design ideas of bit oriented cascade jump register and word oriented σ−LFSR, we propose a cascade jump σ−LFSR. We examine one type of cascade jump σ−LFSRs on modern CPU architecture and make suggestions for design practices to maximize the speed, the security and decrease the implementation complexity of general cascade jump σ−LFSR. Finally, we give the jump index of our examples using Pollard Rho method.
2
Cascade Jump Register and σ−LFSR
Bit Oriented Cascade Jump Register. Linear Finite State Machine (LFSM) has been widely used in cryptography. Let F2 be the binary ﬁeld and F2m be its extension ﬁeld for some positive integer m. The state of the LFSM is represented t by a vector St = (rn−1 , · · · , r0t ) ∈ Fn2m at time t, where rit ∈ F2m and rit denotes the content of the ith memory cell after t transitions. As the ﬁnite state machine is linear, transitions from one state to the next can be described by a multiplication of the state vector with a transition matrix T ∈ Mmn (F2 ), i.e. St+1 = St · T , for t ≥ 0. In practice, matrix T is generally chosen to have a special form for convenience of implementation. If m = 1, the main idea of bit oriented cascade jump register is to ﬁnd whether there exists an integer J, such that T J = T + I where I is a mn × mn identity matrix. If such a power of the transition matrix does exist, then one achieves the same eﬀect as multiplying the state vector either by T J or by T + I. Moreover, since changing T into T +I is generally much simpler than rewiring T into T J for an arbitrary transition matrix T , the LFSR is easy to jump. This modiﬁcation of the transition matrix has very low complexity and is much more attractive and eﬃcient than the method of rewiring the LFSR. Hence bit oriented cascade jump registers can be used as a dynamic part controlled by twovalue sequence in clock control stream cipher. Let g(x) = det(xI + T ) be the characteristic polynomial of T and g ⊥ (x) = g(x + 1) be the dual polynomial of g(x). If there exists an integer J such that T J = T + I, the value of J is called the jump index of g. The jump index always exists if g(x) is a primitive polynomial over F2 . Pomaranch uses 6 or 9 bit oriented
Word Oriented Cascade Jump σ−LFSR
129
cascade jump registers for 80bit and 128bit key respectively. Both registers are built on 18 bits memory cells, and have primitive characteristic polynomial, i.e., when only clocked by zeros or ones they have a period of 218 − 1. The transition matrix used in Pomaranch has a very special form, namely, ⎛ ⎞ d0 0 0 · · · 0 1 ⎜ 1 d1 0 · · · 0 ⎟ t1 ⎜ ⎟ ⎜ ⎟ . . .. ⎜ 0 1 d2 . . . .. ⎟ ⎜ ⎟ (1) ⎜ ⎟ . . . .. ⎜ 0 0 .. .. 0 ⎟ ⎜ ⎟ ⎜ . . . ⎟ ⎝ .. .. . . 1 d16 ⎠ t16 0 0 ··· 0
1 d17 + t17
The major advantage of this type of transition matrix is the eﬃcient hardware implementation. If wants to obtain word oriented cascade jump register, one only need choose m ≥ 2, especially m = 32 or 64 for the word size of CPU correspondingly. But it should be noticed that the operation of St ·T in computer is likely to be expensive unless the matrix T has a special form. In this case, σ−LFSRs are good choices because they are software oriented design. Word Oriented σ−LFSR. The main idea of σ−LFSR [10,11] is to use a few the fundamental logic instructions, arithmetic instructions, or Single Instruction Multiple Data technique to construct high eﬃciency word oriented LFSR with good cryptographic properties. Let C0 , · · · , Cn−1 ∈ Mm (F2 ) and the state at t+1 t , · · · , r0t ), then the next state is St+1 = (rn−1 , · · · , r0t+1 ) ∈ time t be St = (rn−1 t Fn2m where rit+1 = ri+1 for 0 ≤ i ≤ n − 2 and t+1 t rn−1 = C0 r0t + C1 r1t + · · · + Cn−1 rn−1 .
(2)
The system is called σ−LFSR of order n and matrix polynomial f (x) = xn + Cn−1 xn−1 + · · · + C1 x + C0 ∈ Mm (F2 )[x] is called σ−polynomial of σ−LFSR. In fact, σ is a circular rotation operation deﬁned in the following. Let α0 , · · · , αn−1 be a basis of F2m and for α ∈ F2m , there exists a vector (a0 , a1 , · · · , am−1 ) ∈ Fm 2 m−1 such that α = i=0 ai αi . Operation σ over F2m is deﬁned as σ(α) am−1 α0 + a0 α1 + · · · + am−2 αm−1
(3)
and σ is the Frobenius automorphism over F2m when the basis is normal, namely σ(α) = α2 . It is easy to see that σ is a linear transformation on F2m /F2 . From the view of linear transformation, we can obtain a new ring A2m = F2m [σ] with adding σ to F2m . Moreover we have A2m ∼ = Mm (F2 ) [11]. For the sake of obtaining fast speed implementation in software, we conﬁne the coeﬃcients in several special forms as follows. m−1 1. AND Operation, ∧V (α) = α ∧ V = m−1 i=0 ai ci αi , where V = i=0 ci αi ; 2. Circular Rotation Operation, σ k (α); m−1 3. Left Shift Operation L, L(α) = i=1 ai αi−1
130
G. Zeng et al.
4. Right Shift Operation R, R(α) = m−2 i=0 ai αi+1 ; 5. LR Shift Combination Operation s,t = Ls + Rt . If the output sequences generated by one σ−LFSR attain the maximal period, that σ−LFSR is called the primitive σ−LFSR. Suppose s∞ is the sequence generated by primitive σ−LFSR, its bit coordinate sequences are all msequence with the same minimal polynomial[11]. In this case, the number of nonzero coeﬃcients of the binary minimal polynomial is called the Hamming weight of σ−LFSR. This parameter is important, the closer to the half of the degree of its minimal polynomial, the better its properties. With these special operations above, we could ﬁnd many primitive σ−LFSRs with good cryptographic properties. The following is a primitive σ−LFSR over F216 . 
.................. ....................... .. ..... .... V ........ 1,1... ..................... ......................
∧
?
Fig. 1. σ−LFSR with σ−polynomial x8 + ∧0x3fb6 x + 1,1
The minimal polynomial of its coordinate sequences is p(x) with Hamming weight 45, where p(x) = x128 + x121 + x114 + x112 + x107 + x105 + x98 + x96 + x91 + x75 + x73 + x72 + x68 + x66 + x65 + x64 + x61 + x59 + x58 + x57 + x56 + x54 + x52 + x51 + x49 + x47 + x45 + x42 + x41 + x38 + x36 + x35 + x33 + x31 + x29 + x27 + x26 + x25 + x24 + x20 + x18 + x11 + x6 + x4 + 1. Furthermore, this σ−LFSR has extremely fast speed, output speed is about over 25 Gbits/second on Pentium IV 3.0GHz CPU.
3
Word Oriented Cascade Jump σ−LFSR
Cascade jump register and σ−LFSR are eﬀective methods in clock control design and word oriented LFSR design respectively. If two advantages could be combined together, we could strengthen the security of σ−LFSR and improve the performance of bit oriented cascade jump register. With this idea, we study the word oriented cascade jump σ−LFSR. The transition matrix of general word oriented cascade jump σ−LFSR is as follows. ⎞ ⎛ 0 0 0 0 C0 ⎜ I 0 0 0 C1 ⎟ ⎟ ⎜ ⎜ .. . . . . .. ⎟ .. .. T =⎜ . ⎟ . . ⎟ ⎜ ⎝ 0 0 I 0 Cn−2 ⎠ 0 0 0 I Cn−1 mn×mn Only if T has maximal multiplicative order in Mmn (F2 ), the output sequence generated by this σ−LFSR achieves the maximal period 2mn − 1, and in this
Word Oriented Cascade Jump σ−LFSR
131
case, there exists a jump index J such that T J = T + I. The following theorem may be helpful in searching for primitive T . Theorem 1. [10] Let σ−LFSR over F2m of order n with σ−polynomial f (x) = xn + Cn−1 xn−1 + · · · + C1 x + C0 ∈ Mm (F2 )[x] where C0 ∈ GLm (F2 ) and Cl = (cij l )m×m for l = 0, 1, · · · , n − 1. Let F (x) = (f ij (x))m×m ∈ Mm (F2 [x]) be the corresponding polynomial matrix of f (x) where f ij (x) = δ ij xn +
n−1
l ij cij l x ∈ F2 [x], δ =
l=0
1, i = j; 0, i = j.
Then σ−LFSR has maximal period if and only if the determinant F (x) is a primitive polynomial over F2 of degree mn. A word oriented cascade jump σ−LFSR can be used under a binary control sequence, namely changing the transition matrix from T to T + I according to the control sequence. We should choose σ−polynomial f (x) to be primitive ﬁrst, and furthermore f ⊥ (x) = f (x + 1) also be primitive. If σ−polynomial f ⊥ is not primitive, its output sequences will have short period with high probability and can not provide good properties in theory as maximal period sequence. This weakness will make this word oriented cascade jump σ−LFSR very dangerous if the control sequence is not balanced. Apparently, the dual transition matrix of cascade jump σ−LFSRs will be identical to the transition matrix except for the entries on the main diagonal. Equivalently, adding ones to the entries on the main diagonal of the transition matrix equals to the jump index power of that matrix. Seeking for fast eﬃciency, we focus on one type of word oriented cascade σ−LFSRs with the following σ−polynomial over Mmn (F2 ) as f (x) = xn + ∧V xr + s,t ,
(4)
where V ∈ F2m , 0 < s, t < m − 1 and (s + t)m. We have made exhaustive search for m = 16. Because of the symmetry of s, t, which means that if Eq. (4) is primitive, then g(x) = xn + ∧V x + t,s is also primitive, hence s ≤ t is required. Totally 6,815,744 σ−polynomials in the form of Eq. (4) are tested with n = 8. The following table lists the number of maximal period word oriented cascade jump σ−LFSRs. Table 1. The Number of Primitive f and its Dual f ⊥ r=1r=3 f 2510 2415 f ⊥ 2974 2334 Both 1382 48
r=5 2680 2419 54
r = 7 r = 2, 4, 6 5666 0 3570 0 46 0
132
G. Zeng et al. Table 2. Hamming Weight of Some Good σ−polynomial SN 1 2 3 4 5 6 7 8 9 10
f (x)
8
x + ∧0x5806 x + 3,5 x8 + ∧0xffc0 x + 1,7 x8 + ∧0x9239 x + 1,1 x8 + ∧0x29d8 x + 1,1 x8 + ∧0x2ab9 x3 + 1,1 x8 + ∧0xdb73 x3 + 1,1 x8 + ∧0xb036 x5 + 1,3 x8 + ∧0xf00e x5 + 1,1 x8 + ∧0x4e2c x7 + 1,1 x8 + ∧0x623c x7 + 1,1
Weight(f ) Weight(f ⊥ ) 9 33 9 35 35 65 33 75 33 55 31 53 21 57 29 65 29 61 39 69
There are total 1530 word oriented cascade jump σ−LFSRs satisfying our selection principle and the Hamming weight of f ⊥ (x) is superior to that of f (x). In order to make the test results become visible, some examples with both f and f ⊥ primitive are listed below. Example 1. The tenth word oriented cascade jump σ−LFSR in Table 2 has the best Hamming weight properties. Their software implementation are both very fast for simplicity of f and f ⊥ . The original σ−LFSR and the modiﬁed cascade jump σ−LFSR are shown in Figure 2 and Figure 3 respectively. 
...................... ..... 1,1... ..................... ..
..... ......... ........ ..... V ..... ................... ..
∧
?
Fig. 2. σ−LFSR with σ−polynomial x8 + ∧0x623c x7 + 1,1
 ?
?
?
....................... .... .... V...... ................
∧
?
?
?
?
?
?

.................... .... 1,1..... .... ...................
Fig. 3. The Modiﬁed Cascade Jump σ−LFSR in Fig.2
Searching for good word oriented σ−LFSRs as form in Eq. (4) is a timeconsuming procedure. The following two necessary conditions may decrease the amount of search work a little. Theorem 2. If r is an even integer, f (x) defined in Eq. (4) cannot be primitive.
Word Oriented Cascade Jump σ−LFSR
133
Proof: According Theorem 1, we need to calculate F (x). Since every item in f (x) is a square item over F2 [x], hence the determinant must be a square polynomial, not primitive polynomial. Theorem 3. Polynomial f (x) in Eq. (4) cannot be primitive if s = t > 2. Proof: Let Cm,s be the m × m matrix as following ⎞ ⎛ x1 1 ⎟ ⎜ .. ⎟ ⎜ . 1 ⎟ ⎜ ⎜ .. .. ⎟ Cm,s = ⎜ 1 ⎟ . . ⎟ ⎜ ⎟ ⎜ . . .. .. ⎠ ⎝ 1 xm m×m
(5)
In fact, with xi = xn + ci xr for 0 ≤ i ≤ m − 1 in (5), we get f (x) deﬁned (4) in polynomial matrix expression. By Theorem 1, we need to calculate f (x) and check whether it is a primitive polynomial. Next we will prove the determinant of Cm,s is the multiplication of polynomials with the total number s when s ≥ 2. Hence we know the determinant of f (x) must be reducible, obviously not primitive. For Cm,s with m ≤ 2s, we can use the last m − s rows to reduce the ﬁrst m − s rows, then use the Lapalace Theorem at ﬁrst m − s columns to compute the determinant, hence we can obtain a s × s diagonal matrix by suitable adjusting some columns. So the Cm,s  is the multiplication of s polynomials. This procedure is as follows 0 x1 xs+1 . .. x2 xs+2 x1 xs+1 x2 xs+2 . . = Cm,s  = . 0 . . xs+1 1 . . . .. .. . 1
xm
Next we will adopt mathematic induction method to prove. Suppose Cm,s  can be transformed to s × s diagonal matrix in the case (k − 1)s < m ≤ ks with some elementary row or column operations. Next we need to prove this is true for ks < m ≤ (k + 1)s. In this case, we partition matrix Cm,s as following where Cks,s is a ks × ks submatrix. ⎛ ⎞ 0 ⎜ ⎟ .. ⎜ Cks,s ⎟ . ⎜ ⎟ ⎜ 1 ⎟ ⎟ Cm,s = ⎜ ⎜0 ⎟ 1 xm−s+1 ⎜ ⎟ ⎜ . ⎟ .. .. ... ⎝ ⎠ . 0
1
xm
134
G. Zeng et al.
According to our hypothesis, Cks,s can be transformed to s × s diagonal matrix during some elementary operations. We assume the result diagonal matrix is diag(x1 , · · · , xs ), hence after applying these transformations we have x1 Cm,s  = 1
∗ ..
. xs xm−s+1
..
. 1
.. . ∗ .. . xm
Then using the similar elementary operations as that in the case of m ≤ 2s, we can obtain another s × s diagonal matrix. Hence the determinant of Cm,s is the multiplication of s polynomials. For ﬁnding other types of word oriented cascade jump σ−LFSRs, one should choose both f (x) and f ⊥ (x) to be primitive. To be eﬃciently implemented in software, one needs to choose special matrix, which can be fast implemented on CPU. In the search procedure, one needs to carefully observe the test results to ﬁnd some necessary condition for decreasing the search time. Finally, for the security aspect, one needs to pick out those whose Hamming weight are as large as possible.
4
Jump Index Calculation
The determination of the jump index of a given irreducible polynomial is a challenging task, especially for high degree polynomials, as it comes to ﬁnding the discrete logarithm in a large ﬁnite extension ﬁeld. By employing a small amount of theory and a huge amount of computing power at the present time it is easy to determine the jump index of our examples as above. Let f (x) be the primitive σ−polynomial deﬁned in Eq. (4), we brieﬂy outline how we use the methods of PohligHellman and Pollard to compute d = logx (x+ 1) in ﬁnite ﬁeld F = F2128 . First we use the PohligHellman method [12] to reduce the DLP in F∗ to the DLP in groups of prime group of order p, with p dividing F∗  = 2128 − 1. There are totally 9 subgroups due to 2128 − 1 = 3 ∗ 5 ∗ 17 ∗ 257 ∗ 641 ∗ 65537 ∗ 274177 ∗ 6700417 ∗ 67280421310721. For each p dividing F∗ , we compute d mod p as (x + 1)F
∗
/p
= (xF
∗
/p d mod p
)
.
Each of these equations represents a DLP in the group of order p generated by ∗ xF /p . Having computed d mod p for all prime factors p, we use the Chinese Remainder Theorem to determine d. To ﬁnd d mod p in subgroup we use the Pollard’s Rho Method [13]. Assuming that G has group order G = p with p prime, we divide G into four pairwise disjoint sets T1 , T2 , T3 , T4 according to the
Word Oriented Cascade Jump σ−LFSR
135
Table 3. Jump Indexes Result of Our Examples in Table 2 SN 1 dual of SN 1 SN 2 dual of SN 2 SN 3 dual of SN 3 SN 4 dual of SN 4 SN 5 dual of SN 5 SN 6 dual of SN 6 SN 7 dual of SN 7 SN 8 dual of SN 8 SN 9 dual of SN 9 SN 10 dual of SN 10
229293628387587534271494079939876772168 171093700099261338188907767079510869762 336329875434468839552512651424276600321 221670400420824361821529547693718365366 132704672458331951512744918391743389836 63484811825393477931744641796814909436 242693385714521507540553960871504133333 242175253972759543846615773932946320432 302663685763979419983753102844986248754 30363583456125956220431035122577343503 38103675587383110403116109629553749812 21701473805279016312844913568808878794 294387267487675766095140689863605610440 337929409571672598321702082033778437886 196365381069874425320432318291992328986 106083960323802987776388354828025397851 333320604818996548962247785769086115220 38808670205409475437208962295677546997 199203367905034120698612111405886013754 258674226151357822616504808032925789541
constant and x item coeﬃcient. Let fP : G → G as ⎧ (x + 1) ∗ y, y ∈ T1 ; ⎪ ⎪ ⎨ 2 y ∈ T2 ; y , fP (y) x ∗ y, y ∈ T3 ; ⎪ ⎪ ⎩ x ∗ (x + 1) ∗ y, y ∈ T4 . We choose a random number α in the range {1, 2, · · · , G}, compute a starting element y0 = xα , and put yi+1 = fP (yi ) for i = 1, 2, · · · . This induces two triple integer sequences and we check whether y2i matches yi . If this is the case, we can obtain d mod p with very high probability. If not, we repeat the whole for large computation with another starting value y0 ; but this case is very rare group orders G = p. The expected value of iteration is about 1.229 πG/2 and it take about one minute to compute one discrete logarithm on average. The following table is the jump index of examples in Table 2. We list the jump index of f (x) and its dual f ⊥ (x). From the table, we can see the jump indexes are extremely large, hence the cascade jump σ−LFSR is an eﬀective method in clock control design indeed.
5
Conclusions
Modern processors have already gained much of better performance than their predecessors. This indicates the design criteria of software oriented cryptographic algorithm should fully beneﬁt from these changes. We have illustrated one type word
136
G. Zeng et al.
oriented cascade jump σ−LFSR, which is software oriented design and hence has fast speed. Although not shown in great detail, it should be clear that these word oriented cascade jump σ−LFSR constructions can be used as building blocks in software oriented clock control stream cipher in a very eﬃcient way.
References 1. ECRYPT, eSTREAM: ECRYPT Stream Cipher Project, http://www.ecrypt.eu.org/stream/ 2. Courtois, N., Meier, W.: Algebraic attacks on stream ciphers with liners feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003) 3. Courtois, N.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003) 4. Jansen, C.J.A., Helleseth, T., Kholosha, A.: Cascade jump controlled sequence generator and Pomaranch stream cipher (Version 3), eSTREAM, ECRYPT Stream Cipher Project (2007) 5. Jansen, C.J.A.: Streamcipher design: Make your LFSRs jump! In: The State of the Art of Stream Ciphers, Workshop Record, Brugge, Belgium, October 2004, pp. 94–108 (2004) 6. Jansen, C.J.A.: Stream cipher design based on jumping ﬁnite state machines. Cryptology ePrint Archive, Report 2005/267 (2005), http://eprint.iacr.org/2005/267/ 7. Hawkes, P., Rose, G.G.: Primitive Speciﬁcation and Supporting Documentation for SOBERt32 Submission to NESSIE. In: First NESSIE Workshop (2000) 8. Ekdahl, P., Johansson, T.: A New Version of the Stream Cipher SNOW. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 47–61. Springer, Heidelberg (2003) 9. Berbain, C., Billet, O., et al.: Sosemanuk, a fast softwareoriented stream cipher. ECRYPT Stream Cipher Project (2007) 10. Zeng, G., Han, W., He, K.C.: High eﬃciency feedback shift register: σ−LFSR. Cryptology ePrint Archive, Report 2007/114 (2007) 11. Zeng, G., He, K.C., Han, W.: A trinomial type of σ−LFSR oriented toward software implementation. Science in China Series FInformation Sciences 50(3), 359–372 (2007) 12. Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF (p) and its cryptographic signiﬁcance. IEEE Transactions on Information Theory 24, 106–110 (1978) 13. Pollard, J.M.: Monte Carlo methods for index computation (mod p). Mathematics of Computation 32(143), 918–924 (1978) 14. Teske, E.: Speeding Up Pollard’s Rho Method for Computing Discrete Logarithms. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 541–554. Springer, Heidelberg (1998)
On Some Sequences of the Secret Pseudorandom Index j in RC4 Key Scheduling Riddhipratim Basu1 , Subhamoy Maitra1 , Goutam Paul2 , and Tanmoy Talukdar1 1
Indian Statistical Institute , 203 B T Road, Kolkata 700 108, India [email protected], [email protected], [email protected] 2 Department of Computer Science and Engineering, Jadavpur University, Kolkata 700032 goutam [email protected]
Abstract. RC4 Key Scheduling Algorithm (KSA) uses a secret pseudorandom index j which is dependent on the secret key. Let SN be the permutation after the complete KSA of RC4. It is known that the value of j in round y + 1 can be predicted with high probability from SN [y] for −1 [y] for the ﬁnal values of y. This fact the initial values of y and from SN has been exploited in several recent works on secret key recovery from SN . In this paper, we perform extensive analysis of some special sequences of indices corresponding to the j values that leak useful information for key recovery. We present new theoretical results on the probability and the number of such sequences. As an application, we explain a new secret key recovery algorithm that can recover a 16 bytes secret key with a success probability of 0.1409. Our strategy has high time complexity at this point and requires further improvement to be feasible in practice. Keywords: Bias, Cryptanalysis, Filter, Key Recovery, Permutation, RC4, Sequence, Stream Cipher.
1
Introduction
The RC4 stream cipher has been designed by Ron Rivest for RSA Data Security in 1987, and was a propriety algorithm until 1994. The RC4 cipher has two components, namely, the Key Scheduling Algorithm (KSA) and the PseudoRandom Generation Algorithm (PRGA). The KSA expands a secret key k[0 . . . l − 1] into an array K[0 . . . N − 1] such that K[y] = k[y mod l] for any y, 0 ≤ y ≤ N − 1. Using this key, an identity permutation S[0 . . . N −1] of {0, 1, . . . N −1} is scrambled using two indices i, j. The PRGA uses this permutation to generate pseudorandom keystream bytes z1 , z2 , . . ., that are bitwise XORed with the plaintext to generate the ciphertext at the sender end and bitwise XORed with the ciphertext to get back the plaintext at the receiver end. Any addition used related to the RC4 description is in general addition modulo N unless speciﬁed otherwise.
The ﬁrst and last authors worked for this paper during the winter break between the semesters (2008–2009) in their Bachelor of Statistics course.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 137–148, 2009. c SpringerVerlag Berlin Heidelberg 2009
138
R. Basu et al.
KSA(K) Initialization: For i = 0, . . . , N − 1 S[i] = i; j = 0; Scrambling: For i = 0, . . . , N − 1 j = (j + S[i] + K[i]); Swap(S[i], S[j]);
PRGA(S) Initialization: i = j = 0; Keystream Generation Loop: i = i + 1; j = j + S[i]; Swap(S[i], S[j]); t = S[i] + S[j]; Output z = S[t];
We use subscript r to the variables S, i and j to denote their updated values in round r, where 1 ≤ r ≤ N . According to this notation, SN is the permutation after the completion of the KSA. By S0 and j0 , we mean the initial permutation and the initial value of the index j respectively before the KSA begins. We use the notation S −1 for the inverse of the permutation S, i.e., if S[y] = v, then y + K[x], 0 ≤ y ≤ N −1. S −1 [v] = y. By fy (K), we denote the expression y(y+1) 2 x=0
RC4 is the most popular and widely deployed software stream cipher. It is used in network protocols such as SSL, TLS, WEP and WPA, and also in Microsoft Windows, Lotus Notes, Apple AOCE, Oracle Secure SQL etc. The cipher is simple in structure, easy to implement and eﬃcient in throughput. Yet after more than twenty years of cryptanalysis, the cipher is still not completely broken and is of great interest to the cryptographic community. One may refer to [7,9,13] and the references therein for a detailed exposition on RC4 cryptanalysis. In [12], it has been argued that the most likely value of the yth element of the permutation after the KSA for the ﬁrst few values of y is given by SN [y] = fy (K). The experimental values of the probabilities P (SN [y] = fy (K)) for y from 0 to 47 were reported in [12] without any theoretical proof. The expressions for the probabilities P (SN [y] = fy (K)) for all values of the index y in [0, N − 1] were theoretically derived in [10, Section 2] and the work [11, Section 2.1] generalized it to derive P (Sr [y] = fy (K)) for all rounds r, 1 ≤ r ≤ N . It has been shown in [6] that the bytes SN [y], SN [SN [y]], SN [SN [SN [y]]], and so on, are biased to fy (K). In particular, they showed that P (SN [SN [y]] = fy (K)) decreases from 0.137 for y = 0 to 0.018 for y = 31 and then slowly settles down to 0.0039 (beyond y = 48). In [10, Section 3], for the ﬁrst time an algorithm is presented to recover the complete key from the ﬁnal permutation after the KSA using the Roos’ biases, without any assumption on the key or IV. The algorithm recovers some secret key bytes by solving sets of independent equations of the form SN [y] = fy (K) and the remaining key bytes by exhaustive search. Subsequently, the work [2] additionally considered diﬀerences of the above equations and reported better results. Recently, [1] has accumulated the ideas in the earlier works [2,6,10] along with some additional new results to devise a more eﬃcient algorithm for key recovery. After the publication of [2,10], another work [11] which has been performed independently and around the same time as [1] shows that each byte
On Some Sequences of the Secret Pseudorandom Index j
139
of SN actually reveals secret key information. The key recovery algorithm of [11] sometimes outperform that of [2]. A recent work [3] starts with the equations of [2] and considers a bitbybit approach to key recovery. Getting back the secret key from the ﬁnal permutation after the KSA is an important problem in RC4 cryptanalysis. State recovery from keystream [4,8,14], another important attack on RC4, can be turned into a key recovery attack if key reconstruction from SN is possible in a time complexity less than that of state recovery attacks. Moreover, in certain applications such as WEP [5], the key and the IV are combined in such a way that the secret key can be easily extracted from the session key. For these applications, if one can recover the session key from the permutation then it is possible to get back the secret key. In that case, for subsequent sessions where the same secret key would be used with diﬀerent known IV’s, the RC4 encryption would be completely insecure. In this paper, we study sequences of jy+1 values corresponding to the rounds y + 1 when i takes the value y, 0 ≤ y ≤ N − 1. We concentrate on a span equal to the key length at each end of the permutation SN . Based on our sequence analysis in Section 2, we present a novel bidirectional search algorithm for secret key recovery in Section 3. Our algorithm can recover secret keys of length 16 bytes with a success probability of 0.1409, which is almost two times the currently best known value of 0.0745 reported in [1]. The time reported in [1] for probability 0.0745 is 1572 seconds, but it is not clear how the complexity of [1] would grow with increase in probability. Our analysis provides better probability and a method to achieve that, but further tuning is required to make our strategy feasible in practice as the time complexity is very high. Our main idea is to guess K[0], K[1], . . . using the left end of the permutation and guess K[l − 1], K[l − 2], . . . using the right end of the permutation simultaneously. When some key bytes are guessed, the KSA may be run (in the forward or in the backward direction, depending on the location of the guessed key bytes) until a known jy+1 is encountered. If this matches with the computed jy+1 , then the guessing is continued, else the partial key is discarded. Thus, the indices y for which jy+1 ’s are known act as “ﬁlters” for separating out the wrong keys from the correct candidates. All the existing works on key recovery from the ﬁnal permutation after the KSA try to guess the entire key together. Our bidirectional key retrieval makes use of the fact that once certain key bytes are known, the choice of possible values of the remaining key bytes become restricted. To our knowledge, the concept of “ﬁltering technique” as well as the notion of bidirectional key search is a completely diﬀerent and new approach towards secret key recovery of RC4.
2
Theoretical Analysis of Sequences of Filter Indices
In this section, we study the structure and algebraic properties of the sequence of indices that act as ﬁlters for validating the secret key guesses. For simplicity, we restrict l to be a factor of N .
140
R. Basu et al.
The secret index j is pseudorandom and may be considered uniformly distributed in [0, N − 1]. In general, if the values for a sequence of m many j’s are guessed randomly, the success probability is N −m . For N = 256 and m = 8, this value turns out to be 2−64 . Whereas, using our theoretical framework, we can guess a sequence of j values with very good probability (see Table 1). Definition 1 (Event Ay ). For 0 ≤ y ≤ N − 1, event Ay occurs if and only if the following three conditions hold. 1. Sy [y] = y and Sy [jy+1 ] = jy+1 . 2. jy+1 ≥ y. 3. SN [y] = Sy+1 [y]. Proposition 1. py = P (Ay ) = ( NN−y ) · ( NN−2 )y · ( NN−1 )N −1−y , 0 ≤ y ≤ N − 1. Proof. Let us analyze the conditions mentioned in the deﬁnition of Ay . 1. Sy [y] = y and Sy [jy+1 ] = jy+1 occur if jt ∈ / {y, jy+1 }, for 1 ≤ t ≤ y, the probability of which is ( NN−2 )y . 2. P (jy+1 ≥ y) = NN−y . 3. SN [y] = Sy+1 [y], if jt = y, ∀t ∈ [y + 2, N ]. This happens with probability ( NN−1 )N −y−1 . Multiplying the above three probabilities, we get the result.
Note that the event Ay implies jy+1 = SN [y] and Proposition 1 is a variant of [10, Lemma 2] that relates jy+1 and SN [y]. Definition 2 (Event By ). For 0 ≤ y ≤ N − 1, event By occurs if and only if the following three conditions hold. 1. Sy [y] = y. 2. jy+1 ≤ y. 3. SN [jy+1 ] = Sy+1 [jy+1 ]. N −1 N −1 Proposition 2. py = P (By ) = ( y+1 , 0 ≤ y ≤ N − 1. N )·( N )
Proof. Let us analyze the conditions mentioned in the deﬁnition of By . 1. Sy [y] = y occurs if jt = y for 1 ≤ t ≤ y, the probability of which is ( NN−1 )y . 2. P (jy+1 ≤ y) = y+1 N . 3. SN [jy+1 ] = Sy+1 [jy+1 ], if jt = jy+1 , ∀t ∈ [y + 2, N ]. This happens with probability ( NN−1 )N −y−1 . Multiplying the above three probabilities, we get the result.
−1 [y], 0 ≤ y ≤ N − 1. By is the same as Note that the event By implies jy+1 = SN the event E1 (y) deﬁned in [11] and the proof of Proposition 2 has been presented as part of the proof of [11, Theorem 3].
On Some Sequences of the Secret Pseudorandom Index j
141
Definition 3 (Filter). An index y in [0, N − 1] is called a ﬁlter if either of the following two holds. 1. 0 ≤ y ≤ N2 − 1 and event Ay occurs. 2. N2 ≤ y ≤ N − 2 and event By occurs. Definition 4 (Bisequence). Suppose jN is known. Then a sequence of at least (t+t +1) many ﬁlters is called a (t, t )bisequence if the following three conditions hold. 1. Exactly t many ﬁlters 0 ≤ i1 < i2 < . . . < it ≤ 2l − 1 exist in the interval [0, 2l − 1]. 2. Exactly t many ﬁlters N − 1 − 2l ≤ it < . . . < i1 ≤ N − 2 exist in the interval [N − 1 − 2l , N − 2]. 3. Either a ﬁlter it+1 exist in the interval [ 2l , l − 1] or a ﬁlter it +1 exist in the interval [N − 1 − l, N − 2 − 2l ]. Lemma 1. Given a set Ft of t many indices in [0, 2l − 1], a set Bt of t many indices in [N − 1 − 2l , N − 2] and an index x in [ 2l , l − 1] ∪ [N − 1 − l, N − 2 − 2l ], the probability of the sequence of indices Ft ∪ Bt ∪ {x} to be a (t, t )bisequence is ⎛ ⎞ ⎝ piu qiv pi qi ⎠ p˜x , iu ∈Ft
iv ∈[0,l−1]\(Ft ∪{x})
iu ∈Bt
u
iv ∈[N −1−l,N −2]\(Bt ∪{x})
v
where qy = 1 − py , qy = 1 − py for 0 ≤ y ≤ N − 1 and p˜x = px or px according as x ∈ [ 2l , l − 1] or [N − 1 − l, N − 2 − 2l ] respectively. Proof. According to Deﬁnition 4, Ft ∪ Bt ∪ {x} would be an (t, t )bisequence, if the indices in Ft and Bt and the index x are ﬁlters and the indices in ([0, l − 1] ∪ [N − 1 − l, N − 2]) \ (Ft ∪ Bt ∪ {x}) are nonﬁlters. Hence, the result follows from Propositions 1 and 2. Definition 5 (Critical Filters). The last ﬁlter it within the ﬁrst 2l indices and the ﬁrst ﬁlter it within the last 2l indices for an (t, t )bisequence are called the left critical and the right critical ﬁlters respectively. Together, they are called the critical ﬁlters. Definition 6 (Favourable Bisequence). A (t, t )bisequence is called dfavourable, d ≤ 2l , if the following seven conditions hold. 1. 2. 3. 4. 5. 6. 7.
i1 + 1 ≤ d. iu+1 − iu ≤ d, ∀u ∈ [1, t − 1]. l 2 − 1 − it ≤ d. N − 1 − i1 ≤ d. iv − iv+1 ≤ d, ∀v ∈ [1, t − 1]. it − (N − 1 − 2l ) ≤ d. it+1 − it ≤ d or it − it +1 ≤ d.
142
R. Basu et al.
Let us interpret the conditions mentioned in Deﬁnition 6. For ease of reference, we introduce a dummy index −1 to the left of index 0. Conditions 1 and 4 ensure that the ﬁrst ﬁlter to the right of index −1 and the ﬁrst ﬁlter to the left of index N − 1 are at most at a distance d from indices −1 and N − 1 respectively. Conditions 2 and 5 ensure that the distance between any two consecutive ﬁlters to the left of left critical ﬁlter and to the right of right critical ﬁlter is at most d. Conditions 3 and 6 ensure that the left and right critical ﬁlters are at most at a distance d from indices 2l − 1 and N − 1 − 2l respectively. Consider the ﬁrst ﬁlter it+1 to the right of the left critical ﬁlter and the ﬁrst ﬁlter it +1 to the left of the right critical ﬁlter. For a (t, t )bisequence, at least one of it+1 and it +1 must exist. Condition 7 ensures that whichever exist (and at least one of the two, if both exist) is located at most at a distance d from the corresponding critical ﬁlter. Lemma 2. The number of distinct sequences of indices in [0, 2l − 1] ∪ [N − 1 − 2l , N − 2] satisfying the conditions 1 through 6 of Deﬁnition 6 is l δ≤d,δ ≤d t≤ l −δ,t ≤ l −δ c(δ, t)c(δ , t ), where δ = 2 − 1 − it , δ = it − 2
2
l
(N − 1 − 2l ), and c(δ, t) is the coeﬃcient of x 2 −δ−t in (1 + x + . . . + xd−1 )t . Proof. Let x1 = i1 , xu = iu − iu−1 − 1 for 2 ≤ u ≤ t be the number of nonﬁlters between two consecutive ﬁlters in [0, it ]. The total number of nonﬁlters in the interval [0, it ] is it − (t − 1) = ( 2l − 1 − δ) − (t − 1) = 2l − δ − t. Thus, the number of distinct sequences of indices in [0, 2l − 1] satisfying conditions 1, 2 and 3 of Deﬁnition 6 is the same as the number of nonnegative integral solutions of x1 + x2 + . . . + xt = 2l − δ − t, where 0 ≤ xu ≤ d − 1, ∀u ∈ [1, t]. The number of solutions is given by c(δ, t). Similarly, the number of distinct sequences of indices in [N − 1 − 2l , N − 2] satisfying conditions 4, 5 and 6 of Deﬁnition 6 is c(δ , t ). l l Hence, the number of distinct sequences of indices in [0, 2 − 1]∪[N − 1 − 2 , N −2] satisfying the conditions 1 through 6 is δ≤d,δ ≤d t≤ l −δ,t ≤ l −δ c(δ, t)c(δ , t ). 2 2 Theorem 1. The probability of existence of a dfavourable (t, t )bisequence in [0, l − 1] ∪ [N − 1 − l, N − 2] is piu qiv pi πd = t,t Ft ,Bt iu ∈Ft
iv ∈[N −1− 2l ,N −2]\Bt
iv ∈[0, 2l −1]\Ft
qi (1 − v
iu ∈Bt
u
q˜y ),
y∈[ 2l ,it +d]∪ [it −d,N −2− 2l ]
where the sum is over all t, t , Ft , Bt such that the sequence of indices Ft ∪ Bt satisfy the conditions 1 through 6 in Deﬁnition 6 and q˜y = qy or qy according as y ∈ [ 2l , it + d] or [it − d, N − 2 − 2l ] respectively. Proof. Immediately follows from Lemma 1. The term (1 − y∈[it +1,it +d]∪ [it − d, it − 1]˜ qy ) accounts for condition 7 of Deﬁnition 6. Using the deﬁnitions of c(δ, t), c(δ , t ) introduced in Theorem 2, we can approximate the probability expression presented in Theorem 1 as follows.
On Some Sequences of the Secret Pseudorandom Index j
143
Corollary 1. If l ≤ 16 (i.e., the key length is small), then we have l l c(δ, t)pt q 2 −t c(δ , t )pt q 2 −t (1 − q d−δ q d−δ ), πd ≈ δ≤d,δ ≤d t≤ l −δ,t ≤ l −δ 2
where p =
2 l
l 2 −1
y=0
2
py , p =
2 l
N −2
y=N −1− 2l
py , q = 1 − p, q = 1 − p .
Proof. Approximating each py in the left half by the average p of the ﬁrst 2l many py ’s and each py in the right half by the average p of the last 2l many py ’s, we get the result. The ranges of the variables in the summation account l for conditions 3 and 6 of Deﬁnition 6. The term c(δ, t)pt q 2 −t accounts for the l conditions 1 and 2, the term c(δ , t )pt q 2 −t accounts for the conditions 4 and 5, and the term (1 − q d−δ q d−δ ) accounts for the condition 7 of Deﬁnition 6. In Table 1, we compare the theoretical estimates of πd from Corollary 1 with the experimental values obtained by running the RC4 KSA with 10 million randomly generated secret keys of length 16 bytes. Table 1. Theoretical and experimental values of πd vs. d with l = 16 d 2 3 4 5 6 Theoretical 0.0055 0.1120 0.3674 0.6194 0.7939 Experimental 0.0052 0.1090 0.3626 0.6152 0.7909
The results indicate that our theoretical values match closely with the experimental values. Theorem 2. The number of distinct dfavourable (t, t )bisequences containing exactly f ≤ 2l ﬁlters is
c(δ, t)c(δ , t )
δ≤d,δ ≤d t≤ l −δ,t ≤ l −δ 2
2d−δ−δ
s=1
2
2d − δ − δ l − 2d + δ + δ . s f − t − t − s
Proof. By Lemma 2, the number of distinct sequences of indices in [0, 2l − 1] ∪ l [N − 1 − 2 , N − 2] satisfying the conditions 1 through 6 of Deﬁnition 6 is δ≤d,δ ≤d t≤ 2l −δ,t ≤ 2l −δ c(δ, t)c(δ , t ). The justiﬁcation for the two binomial coeﬃcients with a sum over s is as follows. For condition 7 to be satisﬁed, at least one out of 2d − δ − δ indices in [ 2l , 2l − 1 + d − δ] ∪ [N − 1 − 2l − (d − δ ), N − 2 − 2l ] must be a ﬁlter. Let the number of ﬁlters in this interval be s ≥ 1. So the remaining f − t − t − s many ﬁlters must be amongst the remaining l − 2d + δ + δ many indices in [ 2l + d − δ, l − 1] ∪ [N − 1 − l, N − 2 − 2l − (d − δ )] Corollary 2. The number of distinct dfavourable (t, t )bisequences containing at most F ≤ 2l ﬁlters is Cd,F = c(δ, t)c(δ , t ) δ≤d,δ ≤d t≤ l −δ,t ≤ l −δ 2
2
144
R. Basu et al.
2d−δ−δ
s=1
F −t−t −s l − 2d + δ + δ 2d − δ − δ . s r r=0
Proof. In addition to s ≥ 1 ﬁlters in [ 2l , 2l −1+d−δ]∪[N −1− 2l −(d−δ ), N −2− 2l ], we need r more ﬁlters in [ 2l + d − δ, l − 1] ∪ [N − 1 − l, N − 2 − 2l − (d − δ )], where t + t + s + r ≤ F . Corollary 3. The number of distinct dfavourable (t, t )bisequences in [0, l − 1] ∪ [N − 1 − l, N − 2] (containing at most 2l ﬁlters) is c(δ, t)c(δ , t )(1 − 2−2d+δ+δ )2l . Cd,2l = δ≤d,δ ≤d t≤ l −δ,t ≤ l −δ 2
2
Proof. Substitute F = 2l in Corollary 2 and simplify. Alternatively, number of distinct sequences satisfying the conditions 1 the through 6 is δ,δ t,t c(δ, t)c(δ , t )2l and out of these the number of sequences violating the condition 7 is δ,δ t,t c(δ, t)c(δ , t )2l−2d+δ+δ . Subtracting, we get the result. Note that the term 2r stands for the number of ways in which a set of r indices may be a ﬁlter or a nonﬁlter. As an illustration, we present Cd,F for diﬀerent d and F values with l = 16 in Table 2. Table 2. Cd,F for diﬀerent F and d values with l = 16 F 32 20 16 12 8 d = 2 227.81 227.31 224.72 218.11 23.58 d = 3 230.56 230.38 229.02 224.86 215.95 d = 4 231.47 231.35 230.38 227.17 220.14
Though we have assumed that l divides N in our analysis, the same idea works when l is not a factor of N . One only needs to map the indices from the right end of the permutation to the appropriate key bytes.
3
Application of Filter Sequences in Bidirectional Key Search
Here, we demonstrate how the theoretical framework of ﬁlter sequences developed in the previous section can be used to devise a novel key retrieval algorithm. Suppose that after the completion of the RC4 KSA, the ﬁnal permutation SN and the ﬁnal value jN of the index j is known. The update rule for KSA is jy+1 = jy + Sy [y] + K[y], 0 ≤ y ≤ N − 1. Since S0 is identity permutation and j0 = 0, we have j1 = K[0]. Thus, if index 0 is a ﬁlter, then K[0] is known. Again, if index N − 2 is a ﬁlter, then jN −1 is known and hence K[l − 1] = K[N − 1] = jN − jN −1 − SN −1 [N − 1] = jN − jN −1 − SN [jN ] is also known. Moreover, if two
On Some Sequences of the Secret Pseudorandom Index j
145
consecutive indices y − 1 and y are ﬁlters, 1 ≤ y ≤ N − 2, then jy and jy+1 are known and Sy [y] = y from the deﬁnition of ﬁlters. Thus, the correct value of the key byte K[y mod l] can be derived as K[y mod l] = jy+1 − jy − y. For full key recovery, apart from the knowledge of the ﬁnal permutation SN and the ﬁnal value jN of the index j, we also need to assume that a dfavourable (t, t )bisequence exist. Given such a sequence, our algorithm does not require to guess more than d many key bytes at a time. For faster performance, we like to keep d small (typically, 4). Our basic strategy for full key recovery is as follows. First, we perform a partial key recovery using ﬁlters in the interval [0, M − 1] ∪ [N − 1 − M, N − 2], where l ≤ M ≤ 2l, such that the correct values of at least ncorr out of l key bytes are uniquely determined and at least nin out of ncorr are found from the ﬁlters in [0, l − 1] ∪ [N − 1 − l, N − 2]. Let P be the set of partially recovered key bytes, each of which is associated with a single value, namely, the correct value of itself. Next, we build a frequency table for the l − ncorr many unknown key bytes as follows. We guess one jy+1 from the 8 values −1 −1 −1 [y], SN [SN [[y]], SN [SN [y]], SN [SN [SN [y]]], SN [y], SN −1 −1 −1 −1 −1 −1 −1 [SN [SN [y]]], SN [SN [SN [SN [y]]]] and SN [SN [SN [SN [y]]]]. From two SN successive j values jy and jy+1 , 8 × 8 = 64 candidates for the key byte K[y] are obtained. This part is similar to the 6 × 6 = 36 candidate keys from up to −1 as in [1]. These candidates are three levels of nested indexing of SN and SN weighted according to their probabilities. We split the 256 possible values of each unknown key byte K[y] into 4 sets of size 64 each. Let Gy be the set of values obtained from the above frequency table and let H1,y , H2,y , H3,y be the other sets, called bad sets. For 0 ≤ y ≤ l − 1, let gy = P (K[y] ∈ Gy ). Since empirical results show that gy is almost the same for each y, we would be using the average l−1 g = 1l y=0 gy in place of each gy . After this, we perform a bidirectional search from both ends several times, each time with exactly one of the sets {Gy , H1,y , H2,y , H3,y } for each unknown key byte. We decide to use the bad sets for at most b of the unknown key bytes. The search algorithm, called BidirKeySearch, takes as inputs the ﬁnal permutation SN , the ﬁnal value jN , the partially recovered key set P, a set S of l−ncorr many candidate sets each of size 64 and a dfavourable (t, t )bisequence B. For the left end, ﬁrst we guess the key bytes K[0], . . . , K[i1 ] except those in P. Starting with S0 and j0 , we run the KSA until we obtain Si1 +1 and ji1 +1 . Since the correct value of ji1 +1 is known, the tuples leading to the correct ji1 +1 form a set Ti1 of candidate solutions for K[0 . . . i1 ]. These tuples are said to “pass the ﬁlter” i1 . Similarly, starting with ji1 +1 and each state Si1 +1 associated with each tuple in Ti1 , we guess K[i1 + 1], . . . , K[i2 ] except those in P. Thus, we obtain a set Ti2 of candidate solutions for K[0 . . . i2 ] passing the ﬁlter i2 , and so on until we reach a stage where we have a set Tit of candidate solutions for K[0 . . . it ] passing the left critical ﬁlter it . In the same manner, we start with SN and jN
146
R. Basu et al.
and run the KSA backwards until we reach a stage where we have a set Tit of candidate solutions for K[it + 1 . . . l − 1] passing the right critical ﬁlter it . Among the set of remaining key bytes L = {K[it + 1], . . . , K[it+1 ]} \ P on the left and the set of remaining key bytes R = {K[it +1 + 1], . . . , K[it ]} \ P on the right, some bytes are common. We ﬁrst guess the smaller of these two sets and then guess only those key bytes from the larger set that are needed to complete the whole key. We can reduce the candidate keys by ﬁltering the left half of the key using the right ﬁlters and the right half of the key using the left ﬁlters. In the BidirKeySearch algorithm description, i0 and i0 denote the two default ﬁlters −1 (a dummy ﬁlter) and N − 1 respectively. BidirKeySearch (SN , jN , P, S, B) Guess the Left HalfKey: 1. For u = 1 to t do 1.1. Iteratively guess {K[iu−1 + 1], . . . , K[iu ]} \ P.
1.2. Tiu ← {K[0], . . . , K[iu ]} : the tuple pass the ﬁlter iu . Guess the Right HalfKey: 2. For v =1 to t do 2.1. Iteratively guess {K[iv + 1], . . . , K[iv−1 ]} \ P.
2.2. Tiv ← {K[iv + 1], . . . , K[l − 1]} : the tuple pass the ﬁlter iv . Merge to Get the Full Key: 3. L ← {K[it + 1], . . . , K[it+1 ]} \ P and R ← {K[it +1 + 1], . . . , K[it ]} \ P. 4. If L < R then do 4.1. Guess L.
4.2. Tit+1 ← {K[0], . . . , K[it+1 ]} : the tuple pass the ﬁlter it+1 . 4.3. Guess R \ Tit+1 using the ﬁlter it +1 . 5. Else 5.1. Guess R.
5.2. Ti ← {K[it + 1], . . . , K[l − 1]} : the tuple pass the ﬁlter iv . t +1
5.3. Guess L \ Ti
t +1
using the ﬁlter it+1 .
CrossFiltration: 6. If K[0 . . . m − 1] is guessed from the left ﬁlters and K[m . . . l − 1] is guessed from the right ﬁlters, then validate K[m . . . l − 1] using the left ﬁlters up to l − 1 and validate K[0 . . . m − 1] using the right ﬁlters up to N − 1 − l.
Let m1 be the complexity and α be the probability of obtaining a dfavourable (t, t ) bisequence along with the partially recovered key set P, satisfying the input requirements of BidirKeySearch. We require a search complexity of m2 = 2(M−l) for locating the ncorr − nin many correct key bytes from the ﬁlters in ncorr −nin [l, l+M −1]∪[N −1−l, N −2−M ]. We need to run the BidirKeySearch algorithm b n−ncorr r a total of m3 = 3 times and this gives a success probability r=0 r n−ncorr β = r=n−ncorr −b n−nrcorr g r (1−g)n−ncorr −r . If each run of the BidirKeySearch algorithm consumes τ time, the overall complexity for the full key recovery is m1 m2 m3 τ 28 and the success probability is αβ. The term 28 comes for guessing the correct value of jN .
On Some Sequences of the Secret Pseudorandom Index j
147
For l = 16, d = 4, M = 20, ncorr = 6, nin = 4, our experiments with 10 million randomly generated secret keys reveal that α ≈ 0.1537 and g ≈ 0.8928. Also, m1 ≈ 231 (see Table 2) and m2 ≈ 25 . With b = 2, β and m3 turn out to be 0.9169 and 29 (approx.) respectively. Thus, the success probability is αβ ≈ 0.1409 and the complexity is approximately 231+5+9+8 τ = 253 τ . Though the the exact estimation of τ is not feasible at this point, τ is expected to be small, since for wrong ﬁlter sequences the search is likely to terminate in a negligible amount of time. So far, the best known success probability for recovering a 16 bytes secret key has been 0.0745 [1]. The time reported in [1] for this probability is 1572 seconds, but it is not clear how the complexity of [1] would grow with increase in probability. We present better probability (almost two times that of [1]), but with very high time complexity, which is infeasible in practice unless further improvement is made.
4
Conclusion
In this paper, we have performed a detailed theoretical study on sequences of j indices in RC4 KSA. We have also demonstrated an application of our sequence analysis in secret key recovery from the ﬁnal permutation after the KSA. Though our key retrieval algorithm has good success probability, it has high time complexity. Currently, we are working on some more special sequences to reduce the complexity parts from those reported in Table 2 and thereby improve the overall time complexity for key recovery.
References 1. Akg¨ un, M., Kavak, P., Demirci, H.: New Results on the Key Scheduling Algorithm of RC4. In: Chowdhury, D.R., Rijmen, V. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 40–52. Springer, Heidelberg (2008) 2. Biham, E., Carmeli, Y.: Eﬃcient Reconstruction of RC4 Keys from Internal States. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 270–288. Springer, Heidelberg (2008) 3. Khazaei, S., Meier, W.: On Reconstruction of RC4 Keys from Internal States. In: Calmet, J., Geiselmann, W., M¨ ullerQuade, J. (eds.) Mathematical Methods in Computer Science (MMICS). LNCS, vol. 5393, pp. 179–189. Springer, Heidelberg (2008) 4. Knudsen, L.R., Meier, W., Preneel, B., Rijmen, V., Verdoolaege, S.: Analysis Methods for (Alleged) RC4. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 327–341. Springer, Heidelberg (1998) 5. LAN/MAN Standard Committee. Wireless LAN medium access control (MAC) and physical layer (PHY) speciﬁcations, 1999 edition. IEEE standard 802.11 (1999) 6. Maitra, S., Paul, G.: New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 253–269. Springer, Heidelberg (2008); A revised and extended version with the same title is available at the IACR Eprint Server, eprint.iacr.org, number 2007/261 (January 9, 2009)
148
R. Basu et al.
7. Mantin, I.: Analysis of the stream cipher RC4. Master’s Thesis, The Weizmann Institute of Science, Israel (2001) 8. Maximov, A., Khovratovich, D.: New State Recovering Attack on RC4. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 297–316. Springer, Heidelberg (2008) 9. McKague, M.E.: Design and Analysis of RC4like Stream Ciphers. Master’s Thesis, University of Waterloo, Canada (2005) 10. Paul, G., Maitra, S.: Permutation after RC4 Key Scheduling Reveals the Secret Key. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 360–377. Springer, Heidelberg (2007) 11. Paul, G., Maitra, S.: RC4 State Information at Any Stage Reveals the Secret Key. IACR Eprint Server, eprint.iacr.org, number 2007/2008 (January 9, 2009); This is an extended version of [10] 12. Roos, A.: A class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, messageid [email protected] and [email protected] (1995) 13. Tews, E.: Attacks on the WEP protocol. IACR Eprint Server, eprint.iacr.org, number 2007/471, December 15 (2007) 14. Tomasevic, V., Bojanic, S., NietoTaladriz, O.: Finding an internal state of RC4 stream cipher. Information Sciences 177, 1715–1727 (2007)
VeryEﬃcient Anonymous PasswordAuthenticated Key Exchange and Its Extensions SeongHan Shin1,2 , Kazukuni Kobara1,2, and Hideki Imai2,1 1 Research Center for Information Security (RCIS), National Institute of Advanced Industrial Science and Technology (AIST), 11813, Sotokanda, Chiyodaku, Tokyo, 1010021 Japan [email protected] 2 Chuo University, 11327, Kasuga, Bunkyoku, Tokyo, 1128551 Japan
Abstract. An anonymous passwordauthenticated key exchange (anonymous PAKE) protocol is designed to provide both passwordonly authentication and user anonymity. In this paper, we propose a veryeﬃcient anonymous PAKE (called, VEAP) protocol that provides the most eﬃciency among their kinds in terms of computation and communication costs. The VEAP protocol guarantees semantic security of session keys in the random oracle model under the chosen target CDH problem, and unconditional user anonymity against a semihonest server. If the precomputation is allowed, the computation cost of the VEAP protocol is the same as the wellknown DiﬃeHellman protocol! In addition, we extend the VEAP protocol in two ways.
1
Introduction
Since the DiﬃeHellman protocol [8], many researchers have tried to design secure cryptographic algorithms/protocols for realizing secure channels. These algorithms/protocols are necessary because applicationoriented protocols (e.g., webmail, Internet banking/shopping, ftp) are frequently developed assuming the existence of such secure channels. The latter can be achieved by an authenticated key exchange (AKE) protocol at the end of which the involving parties authenticate and share a common session key to be used for subsequent cryptographic algorithms. For authentication, humanmemorable passwords are commonly used rather than highentropy keys because of their convenience. Many passwordbased AKE protocols (see [10]) have been extensively investigated so far. However, one should be very careful about two major attacks on passwords: online and oﬀline dictionary attacks. While online attacks are applicable to all of the passwordbased protocols equally, they can be prevented by having a server take appropriate countermeasures (e.g., lockup accounts after consecutive failures of passwords). But, we cannot avoid oﬀline attacks by such countermeasures mainly because these attacks can be done oﬀline and independently of the party. M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 149–158, 2009. c SpringerVerlag Berlin Heidelberg 2009
150
1.1
S. Shin, K. Kobara, and H. Imai
Anonymous PasswordAuthenticated Key Exchange
A passwordauthenticated key exchange (PAKE) protocol allows a user, who remembers his/her password only, to authenticate with the counterpart server that holds the password or its veriﬁcation data. In PAKE protocols (see [9]), a user should send his/her identity clearly in order to share an authenticated session key. Let us suppose an adversary who fully controls the networks. Though the adversary cannot impersonate any party in PAKE protocols, it is easy to collect a user’s personal information about the communication history itself. For this problem, Viet et al., [15] proposed an anonymous PAKE protocol and its threshold construction1 both of which simply combine a PAKE protocol [1] with an oblivious transfer (OT) protocol [7,14] for user’s anonymity. The user anonymity is guaranteed against an outside adversary as well as a passive server, who follows the protocol honestly. Later, Shin et al., [13] proposed an anonymous PAKE protocol that is only based on the PAKE protocol [1], and showed that their protocol signiﬁcantly improved the eﬃciency compared to [15]. Very recently, Yang and Zhang [16] proposed a new anonymous PAKE protocol that is based on a diﬀerent PAKE (i.e., SPEKE [11,12]) protocol. The main idea of [16] is that the user and the server share a DiﬀﬁeHellmanlike key, by using the SPEKE protocol [11,12], and then run a sequential DiﬃeHellman protocol partiallymasked with the shared key. To our best knowledge, all the anonymous PAKE protocols are constructed from PAKE protocols and, among them, the construction of [16] seems the most eﬃcient in terms of computation and communication costs. 1.2
Our Contributions
In this paper, we propose a veryeﬃcient anonymous PAKE (called, VEAP) protocol whose core part is based on the blind signature scheme [5]. The VEAP protocol guarantees semantic security of session keys in the random oracle model under the chosen target CDH problem, and unconditional user anonymity against a semihonest server. In the VEAP protocol, the user and the server are required to compute only one modular exponentiation, respectively, if the precomputation is allowed. Surprisingly, this is the same computation cost of the wellknown DiﬃeHellman protocol [8] which does not provide authentication at all. Also, we extend the VEAP protocol in two ways: the ﬁrst is designed to reduce the communication cost of the VEAP protocol and the second shows that stripping oﬀ anonymity parts from the VEAP protocol results in a new PAKE protocol. Organization. In the next section, we explain some preliminaries to be used throughout this paper. In Section 3, we propose a veryeﬃcient anonymous PAKE (called, VEAP) protocol with security proof and eﬃciency comparison. In Section 4, we extend the VEAP protocol in two ways. 1
In their threshold construction, the ”threshold” number of users should collaborate one another in order to be authenticated by the server. In this paper, we only focus on an anonymous PAKE protocol where the threshold t = 1.
VeryEﬃcient Anonymous PAKE and Its Extensions
2
151
Preliminary
2.1
Notation
Here, we explain some notation. Let G be a ﬁnite, cyclic group of prime order p and g be a generator of G. The parameter (G, p, g) is public to everyone. In the aftermath, all the subsequent arithmetic operations are performed in modulo p unless otherwise stated. Let l and κ be the security parameters for hash functions (i.e., the size of the hashed value) and a symmetrickey encryption scheme (i.e., the length of the key), respectively. Let {0, 1}∗ be the set of ﬁnite binary strings and {0, 1}l be the set of binary strings of length l. Let ”” be the concatenation of bit strings in {0, 1}. Let us denote G∗ = G\{1} where 1 is the identity element of G. The G is a fulldomain hash (FDH) function that maps {0, 1} to the elements of G∗ . While F : {0, 1} → {0, 1}κ, the other hash functions are denoted Hk : {0, 1} → {0, 1}lk , for k = 1, 2, 3. Let U = {U1 , · · · , Un } and S be the identities of a group of n users and server, respectively. 2.2
Formal Model
In this subsection, we introduce an extended model, built upon [4,2], and security notions for anonymous PAKE. Model. In an anonymous PAKE protocol P , there are two parties Ui (∈ U ) and S where a pair of user Ui and server S share a lowentropy password pwi , chosen from a small dictionary Dpassword , for i (1 ≤ i ≤ n). Each of Ui and S may have several instances, called oracles involved in distinct, possibly concurrent, executions of P . We denote Ui (resp., S) instances by Uiμ (resp., S ν ) where μ, ν ∈ N, or by I in case of any instance. During the protocol execution, an adversary A has the entire control of networks whose capability can be represented as follows: – Execute(Uiμ , S ν ): This query models passive attacks, where the adversary gets access to honest executions of P between Uiμ and S ν . – Send(I, m): This query models active attacks by having A send a message m to an instance I. The adversary A gets back the response I generates in processing m according to the protocol P . – Reveal(I): This query handles misuse of the session key by any instance I. The query is only available to A, if the instance actually holds a session key, and at that case the key is released to A. – RegisterUser(Uj , pwj ): This query handles inside attacks by having A register a user Uj to server S with a password pwj (i.e., Uj ∈ U ). – Test(I): This query is used to measure how much the adversary can obtain information about the session key. The Testquery can be asked at most once by the adversary A and is only available to A if the instance I is fresh 2 . 2
We consider an instance I that has accepted (holding a session key SK). Let I be a partnered instance of I (refer to [4]). The instance I is fresh unless the following conditions are satisﬁed: (1) either Reveal(I) or Reveal(I ) is asked by A at some point; or (2) RegisterUser(I, ) is asked by A when I = Ui for any i.
152
S. Shin, K. Kobara, and H. Imai
This query is answered as follows: one ﬂips a private coin b ∈ {0, 1}, and forwards the corresponding session key SK (Reveal(I) would output), if b = 1, or a random value with the same size except the session key, if b = 0. Security Notions. The adversary A is provided with random coin tosses, some oracles and then is allowed to invoke any number of queries as described above, in any order. The AKE security is deﬁned by the game Gameake (A, P ) where the goal of the adversary is to guess the bit b, involved in the Testquery, by outputting this guess b . We denote the AKE advantage, by Advake P (A) = 2 Pr[b = b ] − 1, as the probability that A can correctly guess the value of b. The protocol P is said to be (t, ε)AKEsecure if A’s advantage is smaller than ε for any adversary A running time t. As [15], we consider a semihonest server S, who honestly follows the protocol P , but it is curious about the involved user’s identity. The user anonymity is deﬁned by the probability distribution of messages in P . Let P (Ui , S) (resp., P (Uj , S)) be the transcript of P between Ui (resp., Uj ) and S. We can say that the protocol P is anonymous if, for any two users Ui , Uj ∈ U , Dist[P (Ui , S)] = Dist[P (Uj , S)] where Dist[c] denotes c’s probability distribution. This security notion means that the server S gets no information about the user’s identity. 2.3
Computational Assumptions
Chosen Target CDH (CTCDH) Problem [3,5]. Let G = g be a ﬁnite cyclic group of prime order p with g as a generator. Let x be a random element of Zp and let X ≡ g x . A (t, ε)CTCDHg,G attacker is a probabilistic polynomial time (PPT) machine B that is given X and has access to the target oracle TG , returning random points Wi in G∗ , as well as the helper oracle (·)x . Let qT (resp., qH ) be the number of queries B made to the target (resp., helper) oracles. The success probability Succct−cdh (B) of B attacking the chosentarget CDH problem g,G is deﬁned as the probability to output a set of m pairs ((j1 , K1 ), · · · , (jm , Km )) where, for all i (1 ≤ i ≤ m), ∃ji (1 ≤ ji ≤ qT ) such that Ki ≡ Wjxi , all Ki are (t) the maximal success probadistinct and qH < qT . We denote by Succct−cdh g,G bility over every adversaries, running within time t. The CTCDHAssumption (t) ≤ ε for any t/ε not too large. Note that, if B makes one states that Succct−cdh g,G query to the target oracle, then the chosentarget CDH assumption is equivalent to the computational DiﬃeHellman assumption. A SymmetricKey Encryption Scheme. A symmetrickey encryption scheme SE consists of the following two algorithms (E, D), with a symmetrickey K uniformly distributed in {0, 1}κ: (1) Given a message M and a key K, E produces a ciphertext C = EK (M ); and (2) Given a ciphertext C and a key K, D recovers a message M = DK (C). The semantic security for SE is that it is infeasible for an adversary to distinguish the encryptions of two messages M0 and M1 (of the same length), even though the adversary has access to the en/decryption oracles. We denote by Succss SE (t, q) the maximal success probability of a distinguisher, running within time t and making at most q queries to the E and D oracles.
VeryEﬃcient Anonymous PAKE and Its Extensions User Ui (pwi )
153
Server S ((Uj , pwj ) , 1 ≤ j ≤ n) [Precomputation] R
R
a ← Zp , Wi ← G(Ui , pwi ), A ≡ Wi × g a U, A

S, X, Ax , {Cj }1≤j≤n , VS Ki ≡ Ax /X a , Ki ← F(Ui , X, Wi , Ki ), For i = j, MS = DKi (Ci ). If VS = H1 (U StransMS ), reject. Otherwise, VUi ← H2 (U StransMS ) SK ← H3 (U StransMS ) and accept.
R
x ← Zp , X ≡ g x , MS ← {0, 1}l For j = 1 to n, Wj ← G(Uj , pwj ), Kj ≡ (Wj )x , Kj ← F(Uj , X, Wj , Kj ), and Cj = EKj (MS). Compute Ax VS ← H1 (U StransMS)
VUi

If VUi = H2 (U StransMS), reject. Otherwise, SK ← H3 (U StransMS) and accept.
Fig. 1. The VEAP protocol where trans = AAx X{Cj }1≤j≤n
3
A VeryEﬃcient Anonymous PAKE Protocol
In this section, we propose a veryeﬃcient anonymous PAKE (for short, VEAP) protocol that provides the most eﬃciency among their kinds in terms of computation and communication costs. We also show that the VEAP protocol guarantees not only AKE security against an active adversary but also unconditional user anonymity against a semihonest server, who honestly follows the protocol. 3.1
The VEAP Protocol
We assume that each user Ui of the group U = {U1 , · · · , Un } has registered his/her password pwi to server S. For simplicity, we assign the users consecutive integer i (1 ≤ i ≤ n) so that Ui can be regarded as the ith user of U . In the VEAP protocol, any user Ui can share an authenticated session key with server S anonymously (see Fig. 1). Step 0 (Precomputation of server S): At ﬁrst, server S chooses a random number x from Zp and a random master secret MS from {0, 1}l , and computes its DiﬃeHellman public value X ≡ g x . Then, the server repeats the followings for all users Uj (1 ≤ j ≤ n): 1) it computes Wj ← G(Uj , pwj ); 2) it x computes Kj ≡ (Wj ) and derives a symmetrickey Kj ← F (Uj , X, Wj , Kj ); and 3) it generates a ciphertext Cj = EKj (MS) for the master secret MS. Step 1: The user Ui chooses a random number a from Zp and computes Wi ← G(Ui , pwi ). The Wi is masked with g a so that the resultant value
154
S. Shin, K. Kobara, and H. Imai
A is computed in a way of A ≡ Wi × g a . The user sends A and the group U of users’ identities to server S. Step 2: For the received value A, server S computes Ax with the exponent x. Also, the server generates an authenticator VS ← H1 (U StransMS). Then, server S sends its identity S, X, Ax , {Cj }1≤j≤n and VS to user Ui . Step 3: After receiving the message from server S, user Ui ﬁrst computes Ki ≡ Ax /X a and Ki ← F (Ui , X, Wi , Ki ). With Ki , the user decrypts the ith ciphertext Ci=j as follows: MS = DKi (Ci ). If the received VS is not valid, user Ui terminates the protocol. Otherwise, the user generates an authenticator VUi ← H2 (U StransMS ) and a session key SK ← H3 (U StransMS ). The authenticator VUi is sent to server S. Step 4: If the received VUi is not valid, server S terminates the protocol. Otherwise, the server generates a session key SK ← H3 (U StransMS). Rationale. Unlike [13,15,16], the novelty of the VEAP protocol is that it does not use the existing PAKE protocols [9,10] at all. In order to provide the most eﬃciency, the VEAP protocol has the following rationale: 1) Instead of unmasking A, server S sends X and Ax which can be used to derive Ki=j if user Ui has computed Wi with the correct Ui and pwi . Importantly, this procedure makes it possible for server S to precompute Kj for all users Uj (1 ≤ j ≤ n); 2) The server S generates only one DiﬃeHellman public value X and its exponent is used to compute all of the Kj ’s; 3) The server S sends {Cj }1≤j≤n by encrypting the master secret MS with Kj . This is enough to guarantee unconditional user anonymity against a semihonest server; and 4) Both Ui and pwi are used to compute the veriﬁcation data Wi . This is crucial since an adversary is enforced to make an online dictionary attack on a speciﬁc user, not the others. 3.2
Security
In this subsection, we prove that the VEAP protocol is AKEsecure under the chosen target CDH problem in the random oracle model [6] and provides unconditional user anonymity against a semihonest server. Theorem 1 (AKE Security). Let P be the VEAP protocol where passwords are independently chosen from a dictionary of size N . For any adversary A within a polynomial time t, with less than qsend active interactions with the parties (Sendqueries), qexecute passive eavesdroppings (Executequeries) and asking qhashF , qhashG , qhashH hash queries to F , G, any Hk , for k = 1, 2, 3, respectively, ss ct−cdh Advake (t2 + qhashG · τe ) P (A) ≤ 2nqsendS × SuccSE (t1 , q1 ) + 16qsendS × Succg,G
+
2 qhashH 2qsendU 2qsendS q2 6(qsendU + qsendS ) 2Q2 + + + + + hashF N G 2κ 2l 2l1 2l2
(1)
where (1) qsendU (resp., qsendS ) is the number of Sendqueries to Ui (resp., S) instance, (2) Q = qexecute + qsend and qsend ≤ qsendU + qsendS , (3) l1 and l2 are the output sizes of hash function H1 and H2 , respectively, and (4) τe denotes the computational time for an exponentiation in G.
VeryEﬃcient Anonymous PAKE and Its Extensions
155
The main proof strategy is as follows. In order to ”embed” X of the CTCDH problem, the simulator selects a random value s in the set {1, · · · , qsendS } where qsendS is the number of Sendqueries to S instance. If this is the sth instance of party S, the simulator uses the X and forwards A to the helper oracle (·)x , and then returns the received Ax . Let qT1 and qT2 be the ﬁrst and the second Gquery, respectively. The simulator forwards qT1 and qT2 to the target oracle TG and returns the received WT1 and WT2 , respectively. For u (3 ≤ u ≤ hashG) in the {qT3 , · · · , qThashG } where hashG is the number of Gqueries, the simulator chooses a random number wu from Zp and returns WTu ≡ WTw1u , if u ≡ 1 mod 2, or WTu ≡ WTw2u , if u ≡ 0 mod 2. That is, we simulate G oracle by answering with a randomized WT1 , for half of Gqueries, and WT2 , for the remaining queries. Note that qT = 2 and qH = 1. Whenever there is a collision on Wji , the simulator can ﬁnd the solution to the CTCDH problem with the probability 1/2qsendS . Theorem 2 (Anonymity). The VEAP protocol provides unconditional user anonymity against a semihonest server. Proof. Consider server S who honestly follows the VEAP protocol. It is obvious that server S cannot get any information about the user’s identity since the A has a unique discrete logarithm of g and, with the randomlychosen number a, it is the uniform distribution over G∗ . This also implies that the server cannot distinguish Ai (of user Ui ) from Aj (of Uj=i ) because they are completely independent each other. In addition, even if server S receives the authenticator VUi the A does not reveal any information about the user’s identity since the probability, for all users, to get MS is equal. Therefore, Dist[P (Ui , S)] = Dist[P (Uj , S)] for any two users {Ui , Uj } ∈ U . Remark 1. In [16], they discussed user anonymity against a malicious server who does not follow the protocol. However, the NAPAKE protocol [16] does not provide user anonymity against such type of attacks because, if there are only two users in the group, the malicious server can always determine which user is the one, with probability 1/2, by using diﬀerent random values for the users.
3.3
Eﬃciency Comparison
This subsection shows eﬃciency comparison of the VEAP protocol and the previous anonymous PAKE protocols [15,13,16] (see Table 1). With respect to computation costs, we count the number of modular exponentiations of user Ui and server S. In Table 1, ”Total” means the total number of modular exponentiations and ”T−P” is the remaining number of modular exponentiations after excluding those that are precomputable. With respect to communication costs, we measure the bitlength of messages where  ·  indicate the bitlength. As for computation cost of the VEAP protocol, user Ui (resp., server S) is required to compute 2 (resp., n + 2) modular exponentiations. When precomputation is allowed, the remaining costs of user Ui (resp., server S) are only 1 (resp., 1) modular exponentiation. Note that this is the same computation cost
156
S. Shin, K. Kobara, and H. Imai
Table 1. Eﬃciency comparison of anonymous PAKE protocols in terms of computation and communication costs where n is the number of users Number of modular exponentiations User Ui Server S Communication costs ∗1 Total T−P Total T−P APAKE [15] 6 4 4n + 2 3n + 1 (n + 2)p + (n + 1)H TAP [13] 3 2 n+1 n 2p + (n + 1)H NAPAKE [16] 4 3 ∗2 n+3 2 (n + 3)p + H ∗2 VEAP 2 1 n+2 1 3p + 2H + nE  *1: The bitlength of identities is excluded *2: In [16], they incorrectly estimated the eﬃciency of the NAPAKE protocol Protocols
of the DiﬃeHellman protocol [8]. One can easily see that the VEAP protocol is the most eﬃcient in the number of modular exponentiations for both user and server. As for communication cost, the VEAP protocol requires a bandwidth of (3p + 2H + nE)bits, except the length of identities U and S, where the bandwidth for H and the modulus size p are independent from the number of users. If we consider the minimum security parameters (p = 1024, H = 160 and E = 128), the gap of communication costs between the VEAP protocol and the others [15,13,16] becomes larger as the number of users increases.
4 4.1
Its Extensions Reducing Communication Cost of the VEAP Protocol
In this subsection, we show how to reduce the communication cost of the VEAP protocol, such that it is independent of the number of users, at the expense of slight increase of the computation cost (see Fig. 2). The main diﬀerence from the VEAP protocol is that server S ﬁxes the values X and {Cj }1≤j≤n for a time period t. This obviously reduces the communication cost to be independent of the number of users. Instead, user Ui has to read a necessary information from server S’s public bulletin board. Note that, if an adversary changes these values, this extended protocol results in ”failure”. However, one should be careful about the following problems: 1) session key privacy against other legitimate users; and 2) forward secrecy. In fact, the values B x ≡ X b and B y ≡ Y b in the hash functions play an important role to solve the above problems in the extended protocol. 4.2
A New PAKE Protocol
Here, we show that stripping oﬀ anonymity parts from the VEAP protocol is a new kind of PAKE protocol (see Fig. 3). To our best knowledge, this PAKE protocol is the ﬁrst construction built from the blind signature scheme [5].
VeryEﬃcient Anonymous PAKE and Its Extensions
157
Server S ((Uj , pwj ) , 1 ≤ j ≤ n) [Publication of temporarilyfixed values] R R x ← Zp , X ≡ g x , MS ← {0, 1}l For j = 1 to n, Wj ← G(Uj , pwj ), Kj ≡ (Wj )x , Kj ← F(Uj , X, Wj , Kj ), and Cj = EKj (MS). Server S’s public bulletin board Posted time Users U
Values Y H HH 2009/01/18 {Uj }1≤j≤n X, {Cj }1≤j≤n read
User Ui (pwi ) 2 R (a, b) ← Zp , B ≡ g b , Wi ← G(Ui , pwi ), A ≡ Wi × g a
Valid period t 2009/02/17
[Protocol execution up to t] x, X, (Kj , Cj ) , 1 ≤ j ≤ n
U, A, B

R
y ← Zp , Y ≡ g y Compute Ax , B x and B y VS ← H1 (transB x B y MS)
x S, A , Y, VS Ki ≡ Ax /X a , Ki ← F(Ui , X, Wi , Ki ), For i = j, MS = DKi (Ci ). If VS = H1 (transX b Y b MS ), reject. VUi Otherwise, VUi ← H2 (transX b Y b MS ) b b If VUi = H2 (transB x B y MS), reject. SK ← H3 (transX Y MS ) Otherwise, SK ← H3 (transB x B y MS) and accept. and accept.
Fig. 2. An extended VEAP protocol where trans = U SAAx XBY {Cj }1≤j≤n
User Ui (pwi ) R
a ← Zp , Wi ← G(Ui , pwi ), A ≡ Wi × g a
Server S ((Uj , pwj ) , 1 ≤ j ≤ n) Ui , A

R
x ← Zp , X ≡ g x , Ax For i = j, Wj ← G(Uj , pwj ) and Kj ≡ (Wj )x . VS ← H1 (Ui transWj Kj )
x S, X, A , VS Ki ≡ Ax /X a , If VS = H1 (Ui transWi Ki ), reject. VUi Otherwise, VUi ← H2 (Ui transWi Ki ) If VUi = H2 (Ui transWj Kj ), reject. SK ← H3 (Ui transWi Ki ) Otherwise, SK ← H3 (Ui transWj Kj ) and accept. and accept.
Fig. 3. A new PAKE protocol from the VEAP protocol where trans = SAAx X
158
S. Shin, K. Kobara, and H. Imai
Acknowledgements We appreciate the helpful comments of anonymous reviewers.
References 1. Abdalla, M., Pointcheval, D.: Simple PasswordBased Encrypted Key Exchange Protocols. In: Menezes, A. (ed.) CTRSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005) 2. Bresson, E., Chevassut, O., Pointcheval, D.: New Security Results on Encrypted Key Exchange. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 145–158. Springer, Heidelberg (2004) 3. Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The OneMoreRSAInversion Problems and the Security of Chaum’s Blind Signature Scheme. Journal of Cryptology 16(3), 185–215 (2003) 4. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000) 5. Boldyreva, A.: Threshold Signatures, Multisignatures and Blind Signatures Based on the GapDiﬃeHellmanGroup Signature Scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2002) 6. Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Eﬃcient Protocols. In: Proc. of ACM CCS 1993, pp. 62–73. ACM Press, New York (1993) 7. Chu, C.K., Tzeng, W.G.: Eﬃcient kOutofn Oblivious Transfer Schemes with Adaptive and Nonadaptive Queries. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 172–183. Springer, Heidelberg (2005) 8. Diﬃe, W., Hellman, M.: New Directions in Cryptography. IEEE Transactions on Information Theory IT22(6), 644–654 (1976) 9. IEEE P1363.2: PasswordBased PublicKey Cryptography, http://grouper.ieee.org/groups/1363/passwdPK/submissions.html 10. http://www.jablon.org/passwordlinks.html 11. Jablon, D.: Strong PasswordOnly Authenticated Key Exchange. ACM Computer Communication Review 26(5), 5–20 (1996) 12. Jablon, D.: Extended Password Key Exchange Protocols Immune to Dictionary Attacks. In: WETICE 1997 Workshop on Enterprise Security (1997) 13. Shin, S.H., Kobara, K., Imai, H.: A Secure Threshold Anonymous PasswordAuthenticated Key Exchange Protocol. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 444–458. Springer, Heidelberg (2007) 14. Tzeng, W.G.: Eﬃcient 1Outn Oblivious Transfer Schemes. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 159–171. Springer, Heidelberg (2002) 15. Viet, D.Q., Yamamura, A., Tanaka, H.: Anonymous PasswordBased Authenticated Key Exchange. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 244–257. Springer, Heidelberg (2005) 16. Yang, J., Zhang, Z.: A New Anonymous PasswordBased Authenticated Key Exchange Protocol. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 200–212. Springer, Heidelberg (2008)
Eﬃcient Constructions of Deterministic Encryption from Hybrid Encryption and CodeBased PKE Yang Cui1,2 , Kirill Morozov1, Kazukuni Kobara1,2, and Hideki Imai1,2 1 Research Center for Information Security (RCIS), National Institute of Advanced Industrial Science & Technology (AIST), Japan {ycui,kirill.morozov,kkobara,himai}@aist.go.jp http://www.rcis.aist.go.jp/ 2 Chuo University, Japan
Abstract. We build on the new security notion for deterministic encryption (PRIV) and the PRIVsecure schemes presented by Bellare et al at Crypto’07. Our work introduces: 1) A generic and eﬃcient construction of deterministic lengthpreserving hybrid encryption, which is an improvement on the scheme sketched in the above paper; to our best knowledge, this is the ﬁrst example of lengthpreserving hybrid encryption; 2) postquantum deterministic encryption (using the INDCPA variant of codebased McEliece PKE) which enjoys a simpliﬁed construction, where the public key is reused as a hash function. Keywords: Deterministic encryption, hybrid encryption, codebased encryption, searchable encryption, database security.
1
Introduction
Background. The notion of security against privacy adversary (denoted as PRIV) for deterministic encryption was pioneered by Bellare et al [2] featuring an upgrade from the standard onewayness property. Instead of not leaking the whole plaintext, the ciphertext was demanded to leak, roughly speaking, no more than the plaintext statistics does. In other words, the PRIVsecurity deﬁnition (formulated in a manner similar to the semantic security deﬁnition of [7]) requires that a ciphertext must be essentially useless for adversary who is to compute some predicate on the corresponding plaintext. Achieving PRIVsecurity demands two important assumptions: 1) the plaintext space must be large enough and have a smooth (i.e. high minentropy) distribution; 2) the plaintext and the predicate are independent of the public key. Constructions satisfying two ﬂavors of PRIVsecurity are presented in [2]: against chosenplaintext (CPA) and chosenciphertext (CCA) attacks. The following three PRIVCPA constructions are introduced in the random oracle (RO) model. The generic EncryptwithHash (EwH) primitive features replacing of the coins used by the randomized encryption scheme with a hash of the public key concatenated with the message. The RSA deterministic OAEP (RSADOAEP) scheme provides us with lengthpreserving deterministic encryption. M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 159–168, 2009. c SpringerVerlag Berlin Heidelberg 2009
160
Y. Cui et al.
In the generic EncryptandHash (EaH) primitive, a ”tag” in the form of the plaintext’s hash is attached to the ciphertext of a randomized encryption scheme. These results were extended by Boldyreva et al [4] and Bellare et al [3] presenting new extended deﬁnitions, proving relations between them, and introducing, among others, new constructions without random oracles. Applications. The original motivation for this research comes from the demand on eﬃciently searchable encryption (ESE) in the database applications. Lengthpreserving schemes can also be used for encryption of legacy code and in the bandwidthlimited systems. Some more applications (although irrelevant to our work) to improving randomized encryption schemes were studied in [4, Sec. 8]. Motivation. The work [2, Sec. 5] sketches a method for encrypting long messages, but it is less eﬃcient compared to the standard hybrid encryption, besides it is conjectured not to be lengthpreserving. Also, possible emerging of quantum computers raises demands for postquantum deterministic encryption schemes. Our Contribution. In the random oracle model, we present a generic and eﬃcient construction of lengthpreserving deterministic hybrid encryption. In a nutshell, we prove that the session key can be computed by concatenating the public key with the ﬁrst message block and inputting the result into key derivation function. This is a kind of reusing the (suﬃcient) entropy of message, and it is secure due to the assumption that the message is highentropy and independent of the key. Meanwhile, Bellare et al. employ the hybrid encryption in a conventional way, which ﬁrst encrypts a random session key to further encrypt the data, obviously losing the lengthpreserving property. Hence, we show that the claim of Bellare et al [2, Sec. 5]: “However, if using hybrid encryption, RSADOAEP would no longer be lengthpreserving (since an encrypted symmetric key would need to be included with the ciphertext)” is overly pessimistic. To our best knowledge, this is the ﬁrst example of lengthpreserving hybrid encryption. For achieving postquantum deterministic encryption, we propose to plug in an INDCPA secure variant [10] of the coding theory based (or codebased) McEliece PKE [9] into the generic constructions EaH and EwH, presented in [2, Sec. 5]. The McEliece PKE is believed to be resistant to quantum attacks, besides it has very fast encryption algorithm. Moreover, we point out a signiﬁcant simpliﬁcation: the public key (which is a generating matrix of some linear code) can be reused as hash function. Related Work. The deterministic hybrid encryption scheme is based on the same principle as the RSADOAEP scheme of [2, Sec. 5], we just ﬁll the gap which was overlooked there. Organization. The paper will be organized in the following way: Sec.2 provides the security deﬁnitions of deterministic encryption. Sec.3 gives the proposed generic and eﬃcient construction of deterministic hybrid encryption, which leads to the ﬁrst lengthpreserving construction, immediately. In Sec.4, we will provide deterministic encryption from the codebased PKE, which is postquantum secure and eﬃcient due to the good property of the underlying PKE scheme. Next, in Sec.5, we further discuss how to extend the PRIV security to the chosenciphertext attack (CCA) scenario.
Eﬃcient Constructions of Deterministic Encryption
2
161
Preliminaries
Denote by “x” the cardinality of x. Denote by x ˆ the vector and by x ˆ[i] the ith component of x ˆ (1 ≤ i ≤ ˆ x). Write x ˆˆ y for concatenation of vectors x ˆ and y ˆ. Let x ←R X denote the operation of picking x from the set X uniformly at random. Denote by z ← A(x, y, ...) the operation of running algorithm A with input (x, y, ...), to output z. Write log x as the logarithm with base 2. We also write Pr[A(x) = y : x ←R X] the probability that A outputs y corresponding to input x, which is sampled from X. We say a function (k) is negligible, if for any constant c, there exists k0 ∈ N, such that < (1/k)c for any k > k0 . A public key encryption (PKE) scheme Π consists of a triple of algorithms (K, E, D). The key generation algorithm K outputs a pair of public and secret keys (pk, sk) taking on input 1k , a security parameter k in unitary notation. The encryption algorithm E on input pk and a plaintext x ˆ outputs a ciphertext c. The decryption algorithm D takes sk and c as input and outputs the plaintext message x ˆ. We require that for any key pair (pk, sk) obtained from K, and any plaintext x ˆ from the plaintext space of Π, x ˆ ← D(sk, E(pk, x ˆ)). Definition 1 (PRIV [2]). Let a probabilistic polynomialtime (PPT) adversary ADE against the privacy of the deterministic encryption Π = (K, E, D), be a pair of algorithms ADE = (Af , Ag ), where Af , Ag do not share any random coins or state. The advantage of adversary is defined as follows, priv−1 priv−0 Advpriv Π,ADE (k) = Pr[ExpΠ,ADE (k) = 1] − Pr[ExpΠ,ADE (k) = 1]
where experiments are described as: Experiment Exppriv−1 Π,ADE (k) :
Experiment Exppriv−0 Π,ADE (k) :
(pk, sk) ←R K(1k ), (ˆ x1 , t1 ) ←R Af (1k ), c ←R E(1k , pk, x ˆ1 ), g ←R Ag (1k , pk, c); return 1 if g = t1 , else return 0
(pk, sk) ←R K(1k ), (ˆ x0 , t0 ) ←R Af (1k ), (ˆ x1 , t1 ) ←R Af (1k ), k c ←R E(1 , pk, x ˆ0 ), g ←R Ag (1k , pk, c); return 1 if g = t1 , else return 0
We say that Π is PRIV secure, if Advpriv Π,ADE (k) is negligible, for any PPT ADE with high minentropy, where ADE has a high minentropy μ(k) means that μ(k) ∈ ω(log(k)), and Pr[ˆ x[i] = x : (ˆ x, t) ←R Am (1k )] ≤ 2−μ(k) for all k, ∗ all 1 ≤ i ≤ ˆ x, and any x ∈ {0, 1} . In the underlying deﬁnition, the advantage of privacy adversary could be also written as priv−b Advpriv Π,ADE (k) = 2 Pr[ExpΠ,ADE (k) = b] − 1 where b ∈ {0, 1} and probability is taken over the choice of all of the random coins in the experiments.
162
Y. Cui et al.
Remarks. 1) The encryption algorithm Π need not be deterministic per se. For example, in a randomized encryption scheme, the random coins can be ﬁxed in an appropriate way to yield a deterministic scheme (as explained in Sec.4); 2) As argued in [2], Af has no access to the pk and Ag does not know the chosen plaintext input to encryption oracle by Af . This is required because the public key itself carries some nontrivial information about the plaintext if the encryption is deterministic.1 Thus, equipping either Af or Ag with both the public key and free choice of an input plaintext in the way of conventional indistinguishability notion [7] of PKE, the PRIV security cannot be achieved. It is possible to build PRIV security from indistinguishability (IND) security, as observed in [2]. In the following, we recall the notion of IND security. Definition 2 (INDCPA). We say a scheme Π = (K, E, D) is INDCPA secure, if the advantage Advind Π,A of any PPT adversary A = (A1 , A2 ) is negligible, (let s be the state information of A1 , and ˆb ∈ {0, 1}): ⎡ ⎤ ˆb = b : (pk, sk) ←R K(1k ), ⎢ (x0 , x1 , s) ←R A1 (1k , pk), ⎥ ⎢ ⎥ Advind Π ,A (k) = 2 · Pr ⎣ b ← {0, 1}, c ← E(1k , pk, x ), ⎦ − 1 R R b ˆb ←R A2 (1k , c, s) Remark. IND security is required by a variety of cryptographic primitives. However, for an eﬃciently searchable encryption used in database applications, IND secure encryption may be considered as overkill. For such a strong encryption, it is not known how to arrange fast (i.e. logarithmic in the database size) search. IND secure symmetric key encryption (SKE) has been carefully discussed in the literature, such as [6, Sec.7.2]. Given a key K ∈ {0, 1}k and message m, an encryption algorithm outputs a ciphertext χ. Provided χ and K, a decryption algorithm outputs the message m uniquely. Note that for a secure SKE, outputs of the encryption algorithm could be considered uniformly distributed in the range, when encrypted under independent session keys. Besides, it is easy to build IND secure SKE. Definition 3 (INDCPA SKE). A symmetric key encryption (SKE) scheme Λ = (KSK , ESK , DSK ) with key space {0, 1}k , is indistinguishable against chosen plaintext attack (INDCPA) if the advantage of any PPT adversary B, Advind−cpa is negligible, where Λ,B ˆb = b : K ←R {0, 1}k , b ←R {0, 1}, ind−cpa (k) = 2 · Pr ˆ AdvΛ,B − 1, b ←R B LOR(K,·,·,b) (1k ) where a leftorright oracle LOR(K, M0 , M1 , b) returns χ ←R ESK (K, Mb ). Adversary B is allowed to ask LOR oracle, with two chosen message M0 , M1 (M0 = M1 , M0  = M1 ). 1
In other words, suppose that in Def. 1, Af knows pk. Then, Af can assign t1 to be the ciphertext c, and hence Ag always wins the game (returns 1). Put it diﬀerently, although Af and Ag are not allowed to share a state, knowledge of pk can help them to share it anyway.
Eﬃcient Constructions of Deterministic Encryption
163
Hybrid Encryption. In the seminal paper by Cramer and Shoup [6], the idea of hybrid encryption is rigorously studied. Note that typically, PKE is applied in key distribution process due to its expensive computational cost, while SKE is typically used for encrypting massive data ﬂow using a freshly generated key for each new session. In hybrid encryption, PKE and SKE work in tandem: a randomly generated session key is ﬁrst encrypted by PKE, then the plaintext is further encrypted on the session key by SKE. Hybrid encryption is more commonly used in practice than a sole PKE, since encryption/decryption of the former is substantially faster for long messages. McEliece PKE. (denoted ΠM ) Consists of the following triple of algorithms (KM , EM , DM ). 1. Key generation KM : On input λ, output (pk, sk). n, t ∈ N, t n – sk (Private Key): (S, ϕ, P ) G : l×n generating matrix of a binary irreducible [n, l] Goppa code which can correct a maximum of t errors. ϕ is an eﬃcient bounded distance decoding algorithm of the underlying code, S: l × l nonsingular matrix, P: n × n permutation matrix, chosen at random. – pk (Public Key): (G, t) G: l × n matrix given by a product of three matrices SG P . 2. Encryption EM : Given pk and an lbit plaintext m, randomly generate nbit e with Hamming weight t, output ciphertext c = mG ⊕ e. 3. Decryption DM : On input c, output m with private key sk. – Compute cP −1 = (mS)G ⊕ eP −1 , where P −1 is an inverse matrix of P . – Error correcting algorithm ϕ corresponding to G applies to compute mS = ϕ(cP −1 ). – Compute the plaintext m = (mS)S −1 . INDCPA security of the McEliece PKE can be achieved by padding the plaintext with a random bitstring r, r = a · l for some 0 < a < 1. We refer to [10] for details.
3
Secure Deterministic Hybrid Encryption
In this section, we will present a generic composition of PKE and SKE to obtain deterministic hybrid encryption. Interestingly, the situation is diﬀerent from conventional hybrid encryption. In that case, the overhead of communication cost includes at least the size of the session key, even if we pick the PKE scheme being a (lengthpreserving) oneway trapdoor permutation, e.g. RSA. However, we notice that in PRIV security deﬁnition, both of public key and plaintext are not simultaneously known by Af or Ag . Hence, one can save on generating and encrypting a random session key. Instead, the secret session key could be extracted from the combination of public key and plaintext which are available to a legal user contrary to the adversary. As we show next, such an approach may need a little higher minentropy, but it works in principle.
164
3.1
Y. Cui et al.
Generic Composition of PRIVSecure PKE and INDCPA Symmetric Key Encryption
Given a PRIV secure PKE scheme Π = (K, E, D), and an INDCPA secure SKE scheme Λ = (KSK , ESK , DSK ), we can achieve a deterministic hybrid encryption HE = (KH , EH , DH ). In the following, H : {0, 1}∗ → {0, 1}k is a key derivation function (KDF), modeled as a random oracle. In the following section, we simply write input vector x ˆ as x with length of ˆ x = v. Wlog, parse x = x ¯x, where the ¯ x and x are equivalent to the input domain of Π and Λ, respectively. Table 1. Generic Construction of Deterministic Hybrid Encryption EH (pk, x): DH (sk, c): KH (1k ): Parses x to x ¯x Parse c to ψχ (pk, sk) ←R K(1k ) x ¯ ← D(sk, ψ) ψ ←R E (1k , pk, x ¯) Return (pk, sk) K ← H(pk¯ x) K ← H(pk¯ x) x ← DSK (K, χ) χ ←R ESK (K, x) Return x = x ¯x Return c = ψχ
In the Table 1, the proposed construction is simple, eﬃcient, and can be generically built from any PRIV PKE and INDCPA SKE. Note that the secret session key is required to have high minentropy in order to deny a bruteforce attack to SKE. However, thanks to the PRIV security, the high minentropy requirement is inherently fulﬁlled for any PPT privacy adversary, so that we can build a reduction of security of the deterministic hybrid encryption to security of deterministic PKE. Next, we will provide a sketch of our proof. 3.2
Security Proof
Theorem 1. In the random oracle model, given a PRIV PKE scheme Π = (K, E, D), and an INDCPA SKE scheme Λ = (KSK , ESK , DSK ), if there is a PRIV adversary AH against the hybrid encryption HE = (KH , EH , DH ), then there exists PRIV adversary A or INDCPA adversary B, s.t. priv ind−cpa (k) + qh v/2μ Advpriv HE,AH (k) ≤ AdvΠ,A (k) + AdvΛ,B
where qh is an upper bound on the number of queries to random oracle H, v is the plaintext size of Π, μ is defined by high minentropy of PRIV security of Π. Proof. Since we assume a PPT adversary AH = (Af , Ag ) against the HE scheme, according to the deﬁnition of PRIV, there must be a nonnegligible advantage in the following experiments. More precisely, if a successful adversary exists, then priv−1 priv−0 Advpriv HE,AH (k) = Pr[ExpHE,AH (k) = 1] − Pr[ExpHE,AH (k) = 1]
Eﬃcient Constructions of Deterministic Encryption
Experiment Exppriv−1 HE,AH (k): (pk, sk) ←R K(1k ); (x1 , t1 ) ←R Af (1k ); Parse x1 to x ¯1 x1 ; ψ ←R E(1k , pk, x¯1 ); K ← H(pk¯ x1 ); χ ←R ESK (K, x1 ); c ← ψχ; g ←R Ag (1k , pk, c); return 1 if g = t1 , else return 0
165
Experiment Exppriv−0 HE,AH (k): (pk, sk) ←R K(1k ); (x0 , t0 ) ←R Af (1k ), (x1 , t1 ) ←R Af (1k ); Parse x0 to x ¯0 x0 ; ψ ←R E(1k , pk, x ¯0 ); K ← H(pk¯ x0 ); χ ←R ESK (K , x0 ); c ← ψ χ ; g ←R Ag (1k , pk, c ); return 1 if g = t1 , else return 0
is nonnegligible for some AH . Next we present a simulator which gradually modiﬁes the above experiments such that the adversary does not notice it. Our goal is to show that Advpriv HE,AH (k) is almost as big as the corresponding advantages deﬁned for PRIV security of the PKE scheme and INDCPA security of the SKE scheme, which are assumed negligible. Because of the high minentropy requirement of PRIV adversary, it is easy to ¯0 = x ¯1 see that x0 = x1 , except with negligible probability. Thus, there must be x or x0 = x1 , or both. Hence, we need to consider the following cases. ¯0 = x ¯1 , the right part of xb (b ∈ {0, 1}), Case [¯ x0 = x¯1 ] Since x0 = x1 and x could be equal or not. – When x0 = x1 , the adversary has two targets, such as Π and Λ in two experiments. First look at the SKE scheme Λ. In this case, the inputs to Λ in two experiments are the same, but still unknown to Ag . The key derivation function H outputs K ← H(pk¯ x1 ) and K ← H(pk¯ x0 ). ¯1 , we have K = K . Note that Ag does not know x0 nor x1 , Since x¯0 = x thus does not know K, K , either. Then, Ag must tell which of χ, χ is the corresponding encryption under the unknown keys without knowing x0 , x1 (x0 = x1 ), which is harder than breaking INDCPA security and (k). that could be bounded by Advind−cpa Λ,B On the other hand, the adversary can also challenge the PKE scheme Π to distinguish two experiments, but it will break the PRIV security. More precisely, the advantage in distinguishing ψ, ψ with certain K, K is at most Advpriv Π,A (k), since K, K are not output explicitly and unavailable to adversary. – when x0 = x1 , this case is similar to the above, except that the inputs to Λ are diﬀerent. Ag can do nothing given χ, χ only, hence Ag ’s possible attack must be focused on Π, and its advantage can be bounded by Advpriv Π,A (k). Case [x0 = x1 ] Similarly, there must be either x ¯0 = x ¯1 or x ¯0 = x ¯1 . – when x¯0 = x ¯1 , the same session key K ← H(pk¯ xb ) (b ∈ {0, 1}) is used for Λ. In this case, the ciphertexts ψ, ψ are the same, adversary will focus on distinguishing the χ, χ . Note that Af cannot compute K even though he knows the x¯0 = x ¯1 , because pk is not known to him
166
Y. Cui et al.
(otherwise, it will break the PRIV security of Π immediately!). Thus, the successful distinguishing requires Ag to choose the same x ¯0 = x ¯1 when querying to the random oracle. Then, Ag has a harder game than INDCPA (because it does not know x0 , x1 ), whose advantage is bounded by Advind−cpa (k). Λ,B In order to be sure that adversary (Af , Ag ) mounting a bruteforce attack to ﬁnd out the session key of Λ cannot succeed, the probability to ﬁnd the key in searching all the random oracle queries should be taken into account as well. Suppose that adversary makes at most qh queries to its random oracle, and the Π’s plaintext size is v. Then, this probability could be upper bounded by qh v/2μ (Note that this bound is in nature similar to that in [2, Sec.6.1]). – when x¯0 = x ¯1 , as we have discussed above, this will break the PRIV security of Π, and advantage of adversary could be bounded by Advpriv Π,A (k). Summarizing, we conclude that in all cases when (Af , Ag ) intends to break the PRIV security of our HE scheme, its advantage of distinguishing two experiments ind−cpa μ (k).
is bounded by the sum of Advpriv Π,A (k), qh v/2 and AdvΛ,B Lengthpreserving Deterministic Hybrid Encryption. The ﬁrst lengthpreserving PRIV PKE scheme is RSADOAEP due to [2]. The lengthpreserving property is important in practical use, such as bandwidthrestricted applications. RSADOAEP makes use of the RSA trapdoor permutation and with a modiﬁed 3round Feistel network achieves the same sizes of input and output. As we have proved in Theorem 1, a construction proposed in Table 1 leads to a deterministic hybrid encryption. In particular, RSADOAEP + INDCPA SKE ⇒ a lengthpreserving deterministic hybrid encryption, because both RSADOAEP and INDCPA SKE are lengthpreserving. Note that in [2, Sec.5.2], it is argued that RSADOAEP based hybrid encryption scheme cannot be lengthpreserving any more, because a random session key has to be embedded in RSADOAEP. However, by reusing the knowledge of public key pk and a part of the message, we can indeed build the ﬁrst lengthpreserving deterministic hybrid encryption, which is not only convenient in practice, but also meaningful in theory.
4
Deterministic Encryption from CodeBased PKE
From a postquantum point of view, it is desirable to obtain deterministic encryption based on assumptions other than RSA or discrete log. Codebased PKE, such as McEliece PKE [9] is considered a promising candidate after being carefully studied for over thirty years. To our surprise, it is not the only motivation to achieve deterministic encryption from codebased PKE. Another good property of the McEliece PKE and its variants is that its public key could be used as a hash function to digest the message, which is originally noted in Stern’s paper [11], and recently designed by [1,8]. The advantage that public key itself is able to work as a hash function,
Eﬃcient Constructions of Deterministic Encryption
167
Table 2. Construction of EwH Deterministic Encryption K(1k ): E (pk, HN , x): D(sk, HM , c): R ← HM (x) x, r , e ← DM (sk, c) (pk, sk) ←R KM (1k ) k Parse R to rre Decode e to re HM ← H(1 , pk) Encode re to e R ← r re , R ← HM (x) Return (pk, HM , sk) c ← EM (pk, rx; e) Return x if R = R Otherwise, return ⊥ Return c Table 3. Construction of EaH Deterministic Encryption K(1k ): E (pk, HM , x): D(sk, HM , cT ): T ← HN (x) x, r, e ← DM (sk, c) (pk, sk) ←R KM (1k ) T ← HN (x) r ←R {0, 1}lp HN ← H(1k , pk) n Return x if T = T e ←R {0, 1} , s.t. Hw(e) = t Return (pk, HM , sk) Otherwise, return ⊥ c ← EM (pk, rx; e) Return cT
can do us a favor to build eﬃcient postquantum deterministic encryption. We call this Hidden Hash (HH) property of McEliece PKE. Henceforth, we assume that this function behaves as a random oracle. In [2], two constructions satisfying PRIV security have been proposed: EncryptwithHash (EwH) and EncryptandHash (EaH). Adapting the HH property of the McEliece PKE to the both constructions, we can achieve PRIV secure deterministic encryption. For proving PRIV security, we require the McEliece PKE to be INDCPA secure, which has been proposed in [10]. (The proofs are deferred to the full version of this paper). Construction of EwH. Let ΠM = (KM , EM , DM ) be the INDCPA McEliece PKE as described in Section 2, based on [n, l, 2t + 1] Goppa code family, with lp bit padding where lp = a·l for some 0 < a < 1, and plaintext length lm = l−lp . Let H be a hash family deﬁned over a set of public keys of the McEliece PKE.
t n HM : {0, 1}lm → {0, 1}lp+log i=1 ( t ) and HN : {0, 1}lm → {0, 1}2k are uniquely deﬁned by 1k and pk. Without knowledge of pk, there is no way to compute HM or HN (refer to [1,8] for details). e is an error vector, s.t. e = n with Hamming weight Hw(e) = t. According to Cover’s paper [5], it is quite eﬃcient to ﬁnd an injective mapping to encode the (short) bit string re into e, and vice versa. Our EwH scheme is presented in Table 2. Note that compared with the EwH scheme proposed by Bellare et al. [2], our scheme does not need to include pk into the hash, because hash function HM itself is made of pk. Public key pk could be considered as a part of the algorithm of the hash function, as well. When we model HM as a random oracle, we can easily prove the PRIV security in a similar way as Bellare et al’s EwH. A more favorable, eﬃciently searchable encryption (ESE) with PRIV security is EaH. EaH aims to model the practical scenario in database security, where a deterministic encryption of some keywords works as a tag attached to the encrypted data. To search the target data, it is only required to compute the
168
Y. Cui et al.
deterministic tag and compare it within the database, achieving a search time which is logarithmic in database size. Construction of EaH. The description of McEliece PKE is similar to the above. EaH scheme is described in Table 3. The HH property is employed in order to achieve PRIV secure eﬃciently searchable encryption.
5
Concluding Remarks
Extension to ChosenCiphertext Security. Above, we have proposed several PRIV secure deterministic encryption schemes, in CPA case. A stronger attack scenario, CCA, requires a little more care. As commented in [2], PRIVCCA could be obtained from PRIVCPA scheme with some additional cost, such as onetime signatures or other authentication techniques to deny a CCA attacker. We can employ those techniques to lift up CPA to CCA. The important issue is that we have achieved very eﬃcient PRIVCPA secure building blocks which enjoy some advantages over previous works. Open Question. Proving our constructions secure in the standard model is an open question and the topic of our future work.
References 1. Augot, D., Finiasz, M., Sendrier, N.: A Family of Fast Syndrome Based Cryptographic Hash Functions. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 64–83. Springer, Heidelberg (2005) 2. Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and Eﬃciently Searchable Encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 535–552. Springer, Heidelberg (2007) 3. Bellare, M., Fischlin, M., O’Neill, A., Ristenpart, T.: Deterministic Encryption: Deﬁnitional Equivalences and Constructions without Random Oracles. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 360–378. Springer, Heidelberg (2008) 4. Boldyreva, A., Fehr, S., O’Neill, A.: On Notions of Security for Deterministic Encryption, and Eﬃcient Constructions without Random Oracles. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 335–359. Springer, Heidelberg (2008) 5. Cover, T.: Enumerative source encoding. IEEE IT 19(1), 73–77 (1973) 6. Cramer, R., Shoup, V.: Design and analysis of practical publickey encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing 33(1), 167–226 (2003) 7. Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984) 8. Finiasz, M.: Syndrome Based Collision Resistant Hashing. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 137–147. Springer, Heidelberg (2008) 9. McEliece, R.J.: A publickey cryptosystem based on algebraic coding theory. Deep Space Network Progress Rep. 4244, 114–116 (1978) 10. Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic Security for the McEliece Cryptosystem without Random Oracles. Designs, Codes and Cryptography 49(13), 289–305 (2008) 11. Stern, J.: A new identiﬁcation scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994)
Noisy Interpolation of Multivariate Sparse Polynomials in Finite Fields ´ Alvar Ibeas1 and Arne Winterhof2 1
2
University of Cantabria E39071 Santander, Spain [email protected] Johann Radon Institute for Computational and Applied Mathematics Austrian Academy of Sciences Altenbergerstr. 69, 4040 Linz, Austria [email protected]
Abstract. We consider the problem of recovering an unknown sparse multivariate polynomial f ∈ Fp [X1 , . . . , Xm ] over a finite field Fp of prime order p from approximate values of f (t1 , . . . , tm ) at polynomially many points (t1 , . . . , tm ) ∈ Fm p selected uniformly at random. Our result is based on a combination of bounds on exponential sums with the lattice reduction technique. Keywords: Noisy interpolation, Sparse polynomials, Hidden number problem, Lattice reduction, Exponential sums.
1
Introduction
Let p be a prime. We will use the notation Fp for the ﬁnite ﬁeld of p elements and identify it with the integers in the range {0, . . . , p − 1}. For an integer s we denote by sp the remainder of s on division by p. For a positive integer m we consider the problem of ﬁnding an unknown multivariate nonconstant polynomial f ∈ Fp [X1 , . . . , Xm ] of weight at most w from approximate values of f (t1 , . . . , tm )p at polynomially many points (t1 , . . . , tm ) ∈ Fm p . More precisely, using the abbreviations X = (X1 , . . . , Xm ) ej,1 e ej and X = X1 · · · Xmj,m if ej = ej,1 + ej,2 p + · · · + ej,m pm−1 with 0 ≤ ej,1 , ej,2 , . . . , ej,m < p, the polynomial f = f (X) is of the form f (X) =
w
αj Xej ,
(1)
j=1
where 1 ≤ e1 < e2 < · · · < ew < pm . A polynomial time algorithm to recover a univariate sparse polynomial f ∈ Fp [X] from approximations to f (j)p at random j was introduced and investigated in [3,4]. The case of a univariate polynomial f (X) = αX corresponds to the hidden number problem, see [2,5,6] and references therein. In the present paper we present an algorithm for arbitrary m. M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 169–178, 2009. c SpringerVerlag Berlin Heidelberg 2009
170
´ Ibeas and A. Winterhof A.
The algorithm is based on the lattice reduction technique. To be more precise, a certain lattice is constructed which contains a vector, associated with the coeﬃcients of f , and which is close to a certain known vector. Using the lattice reduction technique one can hope to recover this vector. Then, in order to make these arguments rigorous, that is, to show that there are no other lattice vectors which are close enough to the known “target” vector, we need a certain uniform distribution property of f which is only guaranteed if the total degree of f is small enough. However, using a weaker uniform distribution property of f and ideas reminiscent to Waring’s problem in a ﬁnite ﬁeld, see for example [7], we can adapt the algorithm to polynomials of much larger degree. We use log z to denote the binary logarithm of z > 0. For a prime p and τ ≥ 0 we denote by MSBτ,p (x) any integer u such that xp − u ≤ p/2τ +1 . Roughly speaking, MSBτ,p (x) gives the τ most signiﬁcant bits of x, however this deﬁnition is more ﬂexible and suits better our purposes. In particular we remark that τ need not be an integer. We use bold lowercase letters to denote vectors in e1 e e em Fm p and use the analogue notation to X : x = (x1 , . . . , xm ) and x = x1 · · · xm m−1 if e = e1 + e2 p + · · · + em p with 0 ≤ e1 , . . . , em < p.
2
Preliminaries
For a prime p we denote ep (z) = exp(2πiz/p). The following bound on exponential sums of a univariate polynomial is given in [1, Corollary 1.1]. It is nontrivial for polynomials of very large degree relative to p. Lemma 1. Let F ∈ Fp [X] be a nonconstant polynomial of degree D and weight 1−ε
log p)) w. For any ε ∈ (0, 1), if D ≤ p(log(wlog , the following bound holds provided p that p is large enough: 1 ≤ p 1 − e (F (x)) . p (w log p)1+ε x∈Fp
The following result extends this bound to exponential sums of a multivariate polynomial. Lemma 2. Let F ∈ Fp [X] be a nonconstant multivariate polynomial of total degree D and weight at most w. For any ε ∈ (0, 1) and 0 < c < 1 with min degXi (F ) ≤ i=1,...,m deg X (F )>0 i
p(log log p)1−ε log p
and
D ≤ cp,
the following bound holds provided that p is large enough: 1 m ep (F (x)) ≤ p 1− . (w log p)1+ε x∈Fm p
(2)
Noisy Interpolation of Multivariate Sparse Polynomials in Finite Fields
Proof. We may assume that degXm (F ) = F (X) =
w0
171
min degXi (F ) > 0 and
i=1,...,m
ej
ai (X1 , . . . , Xm−1 )Xm i
i=1
for some w0 ≤ w and polynomials a1 , . . . , aw0 ∈ Fp [X1 , . . . , Xm−1 ] not identically ep (F (x)). We have zero. Put S = x∈Fm p w 0 ej S≤ ep ai (x1 , . . . , xm−1 )xmi . i=1 x1 ,...,xm−1 ∈Fp xm ∈Fp
The polynomial aw0 has at most pm−2 D zeros and therefore, the univariate polynomials F (x1 , . . . , xm−1 , Xm ) are constant for at most pm−2 D choices of the values x1 , . . . , xm−1 . Using Lemma 1 with a certain ε < ε for the rest, we get S 1 1−c ≤ D + (p − D) 1 − ≤p 1− , pm−1 (w0 log p)1+ε (w0 log p)1+ε and the result follows. For small total degree D we also use the Weil bound ep (F (x)) < Dpm−1/2 . x∈Fp
(3)
Let S ⊆ Fm p be a subseteiof cardinality s. For integers h, k ≥ 1, r, and a polyno∈ Fp [X], we denote by N (S, k, f, h, r) the number of mial f (X) = w i=1 αi X solutions in S k of the “Waringlike” equation: f (x1 ) + · · · + f (xk ) ≡ t mod p, r + 1 ≤ t ≤ r + h. w Let Pf be the set of polynomials i=1 βi Xei which are distinct to f . We say that the set S is (Δ, k, f )homogeneously distributed modulo p if for every g ∈ Pf max N (S, k, f − g, h, r) − hsk p−1 ≤ Δsk . 1≤h,r≤p
Lemma 3. Let f ∈ Fp [X] such that ep (a(f (x) − g(x))) ≤ Bpm , x∈Fm p k for all g ∈ Pf and a ∈ F∗p . Then, for every integer k ≥ 1, Fm p is (B log p, k, f )homogeneously distributed modulo p.
´ Ibeas and A. Winterhof A.
172
Proof. By the wellknown identity
p−1
ep (au) =
a=0
0, if u ≡ 0 mod p, we have p, if u ≡ 0 mod p,
N (Fm p , k, f − g, h, r) =
r+h
p−1
t=r+1 x1 ,...,xk ∈Fm p
1 = p a=0
p−1
r+h
1 ep (a(f (x1 ) − g(x1 ) + · · · + f (xk ) − g(xk ) − t)) p a=0 ⎛
ep (−at) ⎝
⎞k ep (a(f (x) − g(x)))⎠ .
x∈Fm p
t=r+1
The term corresponding to a = 0 is hpmk−1 . Applying the estimate p−1 r+h ep (at) ≤ p log p max 1≤h≤p a=1 t=r+1
to other terms we obtain the result.
As in [3,4], the presented method uses lattice basis reduction techniques. We brieﬂy review a result on lattices. Let {b1 , . . . , bs } be a set of linearly independent vectors in Rr . The set L = {c1 b1 + · · · + cs bs  c1 , . . . , cs ∈ Z} is called an sdimensional lattice, and the set {b1 , . . . , bs } is called a basis of L. The search of elements in a lattice with small norm or close to a given one is a widely investigated problem. As in [3,4], we use the following result. Lemma 4. There exists a deterministic polynomial time algorithm which, for a given lattice L ⊂ Rs and vector r = (r1 , . . . , rs ) ∈ Rs , ﬁnds a lattice vector v = (v1 , . . . , vs ) satisfying the inequality s log2 log s (vi − ri ) ≤ exp O log s i=1 s 2 (zi − ri ) , z = (z1 , . . . , zs ) ∈ L . × min
s
2
i=1
3
General Interpolation Result
Let τ > 0 be a real number and e = (e1 , . . . , ew ) a vector of integers such that 1 ≤ e1 < · · · < ew < pm . For t1,1 , . . . , t1,k ; . . . ; td,1 , . . . , td,k ∈ Fm p we denote by Lτ,e,p (t1,1 , . . . , td,k ) the (d + w)dimensional lattice generated by the rows of the
Noisy Interpolation of Multivariate Sparse Polynomials in Finite Fields
173
following matrix: ⎛
1 1 te1,1 + · · · + te1,k ⎜ .. ⎜ . ⎜ ew ⎜ t + · · · + tew 1,k ⎜ 1,1 ⎜ p ⎜ ⎜ .. ⎝ .
0
1 1 · · · ted,1 + · · · + ted,k 1/2τ +1 .. .. . . w w · · · ted,1 + · · · + ted,k 0 ··· 0 0 .. .. .. . . . ··· p 0
⎞ ··· 0 ⎟ .. .. ⎟ . . ⎟ · · · 1/2τ +1 ⎟ ⎟. ··· 0 ⎟ ⎟ ⎟ .. ⎠ . ···
(4)
0
Lemma 5. Let p be a suﬃciently large nbit prime and let w ≥ 1 be an integer. We deﬁne d = 2 (nw)1/2 and η = 0.5(nw)1/2 + 3. Let f ∈ Fp [X] be deﬁned by (1) and k be a positive integer such that S ⊆ Fm p is (2−η , k, f )homogeneously distributed modulo p. Assume that t1,1 , . . . , td,k ∈ S are chosen uniformly and independently at random. Then with probability P ≥ 1 − 2−η for any vector s = (s1 , . . . , sd , 0, . . . , 0) with
d (f (ti,1 ) + · · · + f (ti,k )p − si )2
1/2 ≤ 2−η p,
i=1
all vectors v = (v1 , . . . , vd , vd+1 , . . . , vd+w ) ∈ Lτ,e,p (t1,1 , . . . , td,k ) satisfying
d
1/2 (vi − si )
2
≤ 2−η p
i=1
are of the form ⎢ ⎢ ⎢ w ej e βj (t1,1 + ··· + t j v= ⎣
⎥ ⎢ ⎥ ⎥ ⎢ ⎥ ⎥ ⎢ w ej ej ⎥ ⎦ ,...,⎣ ⎦ , ) β (t + · · · + t ) j d,1 1,k d,k
j=1
p
j=1
p
β1 /2
τ +1
, . . . , βw /2
τ +1
with some integers βj ≡ αj mod p, j = 1, . . . , w. Proof. We deﬁne the modular distance between two integers λ and μ as distp (λ, μ) = min λ − μ − bp = min {λ − μp , p − λ − μp } . b∈Z
174
´ Ibeas and A. Winterhof A.
Because of the homogeneous distribution property, we see that for any polynomial g ∈ Pf the probability P (g) that distp (g(t1 ) + · · · + g(tk ), f (t1 ) + · · · + f (tk )) ≤ 2−η+1 p for t1 , . . . , tk ∈ S selected uniformly at random is P (g) ≤ 2−η+2 + 2−η =
5 . 2η
Therefore, for any g ∈ Pf , the probability that there is i ∈ [1, d] with distp (g(ti,1 ) + · · · + g(ti,k ), f (ti,1 ) + · · · + f (ti,k )) > 2−η+1 p d equals 1 − P (g)d ≥ 1 − 25η , where the probability is taken over t1,1 , . . . , td,k ∈ S chosen uniformly and independently at random. Since #Pf = pw − 1, we obtain Pr ∀g ∈ Pf , ∃i ∈ [1, d]  distp (g(ti,1 ) + · · · + g(ti,k ), f (ti,1 ) + · · · + f (ti,k )) > 2−η+1 p d 5 ≥ 1 − (pw − 1) > 1 − 2−η 2η because d(η − log 5) > 2(nw)1/2 (0.5(nw)1/2 + 3 − log 5) > nw + η ≥ w log p + η, provided that p is large enough. Indeed, we ﬁx some (t1,1 , . . . , td,k ) ∈ S dk with min max distp (g(ti,1 ) + · · · + g(ti,k ), f (ti,1 ) + · · · + f (ti,k )) > 2−η+1 p. (5)
g∈Pf i∈[1,d]
Let v ∈ Lτ,e,p (t1,1 , . . . , td,k ) be a lattice point satisfying
d
1/2 (vi − si )
2
≤ 2−η p.
i=1
Since v ∈ Lτ,e,p (t1,1 , . . . , td,k ), there are some integers β1 , . . . , βw , z1 , . . . , zd such that w w ej ej ej ej βj (t1,1 + · · · + t1,k ) − z1 p, . . . , βj (td,1 + · · · + td,k ) − zd p, v= j=1
j=1
β1 /2
τ +1
, . . . , βw /2
τ +1
.
Noisy Interpolation of Multivariate Sparse Polynomials in Finite Fields
175
If βj ≡ αj mod p, j = 1, . . . , w, then for all i = 1, . . . , d we have ⎢ ⎥ ⎢ w ⎥ w ⎢ ej ej ej ej ⎥ ⎣ βj (ti,1 + · · · + ti,k ) − zi p = βj (ti,1 + · · · + ti,k )⎦ j=1
j=1
p
= f (ti,1 ) + · · · + f (ti,k )p , since otherwise there is i ∈ [1, d] such that vi − si  > 2−η p. Now suppose that βj ≡ αj mod p for some j ∈ [1, w]. In this case we have ⎛ ⎞ d 1/2 w e e j j (vi − si )2 ≥ max distp ⎝ βj (ti,1 + · · · + ti,k ), si ⎠ i∈[1,d]
i=1
j=1
w ej ej βj (ti,1 + · · · + ti,k ) distp f (ti,1 ) + · · · + f (ti,k ),
≥ max
i∈[1,d]
j=1
− distp si , f (ti,1 ) + · · · + f (ti,k ) > 2−η+1 p − 2−η p = 2−η p, contradicting our assumption. As we have seen, condition (5) holds with probability exceeding 1 − 2−η and the result follows. Now we state a rather general result. Theorem 1. Let p be a suﬃciently large nbit prime and w and k be positive integers of polynomial size. We deﬁne μ = (nw)1/2 ,
τ = μ + log n + log k ,
d = 2 μ ,
and
η = 0.5μ + 3.
There exists a deterministic polynomial time algorithm A such that for any −η , k, f )homogeneously polynomial f , deﬁned by (1), such that S ⊆ Fm p is (2 distributed modulo p, given kd(m + 1) integers ti,j ∈ S
and
si,j = MSBτ,p (f (ti,j )),
i = 1, . . . , d,
j = 1, . . . , k
its output satisﬁes Pr A(t1,1 , . . . , td,k ; s1,1 , . . . , sd,k ) = (α1 , . . . , αw ) ≥ 1 + O(2−η ), m t1,1 ,...,td,k ∈Fp
if t1,1 , . . . , td,k are chosen uniformly and independently at random from S. Proof. Let us consider the vector s = (s1 , . . . , sd , sd+1 , . . . , sd+w ) where sd+j = 0, j = 1, . . . , w, and si = si,1 + · · · + si,k , i = 1, . . . , d. We have f (ti,j ) − si,j  ≤ p/2τ +1 and thus f (ti,1 ) + · · · + f (ti,k ) − si  ≤ kp/2τ +1.
176
´ Ibeas and A. Winterhof A.
Next we have f (ti,1 ) + · · · + f (ti,k ) − si = f (ti,1 ) + · · · + f (ti,k )p − si p + νp with ν ∈ {−1, 0, 1}. If ν = 1 then we have f (ti,1 ) + · · · + f (ti,k )p − si p + p = f (ti,1 ) + · · · + f (ti,k ) − si  < kp/2τ +1 which is only possible if f (ti,1 ) + · · · + f (ti,k )p < kp/2τ +1. Similarly, we can show that ν = −1 is only possible if f (ti,1 ) + · · · + f (ti,k )p > p − kp/2τ +1. Because of the homogeneous distribution property, the probability that kp/2τ +1 ≤ f (ti,1 ) + · · · + f (ti,k )p ≤ p − kp/2τ +1 for all i = 1, . . . , d is 1 + O(dk/2τ ). Now we assume that ν = 0 and thus f (ti,1 ) + · · · + f (ti,k )p − si p  < kp/2τ +1. Multiplying the jth row vector of the matrix (4) by αj and subtracting a certain multiple of the (w + j)th vector, j = 1, . . . , w, we obtain a lattice point u = (u1 , . . . , ud , α1 /2τ +1, . . . , αw /2τ +1) ∈ Lτ,e,p (t1,1 , . . . , td,k ) such that ui − si  < kp2−τ −1 ,
i = 1, . . . , d + w,
where ud+j = αj /2τ +1, j = 1, . . . , w. Therefore, d+w
(ui − si )2 ≤ (d + w)2−2τ −2 k 2 p2 .
i=1
We can assume that w ≤ n because in the opposite case τ > n+ log k and the result is trivial. Therefore d+w = O(τ ). Now we can use Lemma 4 to ﬁnd in polynomial time a lattice vector v = (v1 , . . . , vd , vd+1 , . . . , vd+w ) ∈ Lτ,e,p (t1,1 , . . . , td,k ) such that d+w d 2 o(d+w) 2 (vi − si ) ≤ 2 min (zi − si ) , z = (z1 , . . . , zd+w ) ∈ L i=1
i=1
≤2
−2τ +o(τ )
(d + w)k 2 p2 ≤ 2−2τ +o(τ )k 2 p2 ≤ 2−2η−1 p2 ,
provided that p is large enough. We also have d (ui − si )2 ≤ d2−2τ −2 k 2 p2 ≤ 2−2η−2 p2 . i=1
d Therefore, i=1 (ui −vi )2 ≤ 2−2η p2 . Applying Lemma 5, we see that v = uf with probability at least 1 − 2−η , and therefore the coeﬃcients of f can be recovered in polynomial time. Applying Lemma 3 and Equation (3) to Theorem 1 we obtain (k = 1):
Noisy Interpolation of Multivariate Sparse Polynomials in Finite Fields
177
Corollary 1. Let p be a suﬃciently large nbit prime and let w ≥ 1 be an integer. We deﬁne μ = (nw)1/2 , τ = μ + log n, d = 2 μ, η = 0.5μ + 3. There exists a deterministic polynomial time algorithm A such that for any polynomial f deﬁned by (1), with known exponents 1 ≤ e1 < · · · < ew < pm and total degree D≤
p1/2 ; 2η log p
given d(m + 1) integers ti ∈ Fm p and si = MSBτ,p (f (ti )), i = 1, . . . , d, its output satisﬁes Pr m A(t1 , . . . , td ; s1 , . . . , sd ) = (α1 , . . . , αw ) ≥ 1 + O(2−η ), t1 ,...,td ∈Fp
if t1 , . . . , td are chosen uniformly and independently at random from Fm p . For polynomials of higher degree, Lemma 2 gives: Corollary 2. Let p be a suﬃciently large nbit prime and let w ≥ 1 be an integer. We deﬁne μ = (nw)1/2 ,! τ = μ + log n + log k, d = 2 μ, η = 0.5μ+ 3, where k = 3(w log p)1+ε log p for 1 > ε > 0. There exists a deterministic polynomial time algorithm A such that for any polynomial f deﬁned by (1), with known exponents 1 ≤ e1 < · · · < ew < pm and satisfying (2), given kd(m + 1) integers ti,j ∈ Fm p and si,j = MSBτ,p (f (ti,j )), i = 1, . . . , d, j = 1, . . . , k, its output satisﬁes Pr A(t1,1 , . . . , td,k ; s1,1 , . . . , sd,k ) = (α1 , . . . , αw ) ≥ 1 + O(2−η ), m t1,1 ,...,td,k ∈Fp
if t1,1 , . . . , td,k are chosen uniformly and independently at random from Fm p . Remarks. Using the standard method for reducing incomplete exponential sums to complete ones we can easily extend Corollary 1 to subboxes of Fm p of the form S = {x0 + (x1 , . . . , xm ) : 0 ≤ xi < Ki , i = 1, . . . , m} for some integers 1 ≤ K1 , . . . , Km ≤ p and x0 ∈ Fm p . Moreover, we can extend the results to the situation where the randomly chosen points are chosen from a suﬃciently large subgroup of F∗p of order T by substituting the variable X by Y (p−1)/T . The condition e1 ≥ 1 is not absolutely necessary. However, if we don’t restrict ourselves to the case f (0, . . . , 0) = 0 a modiﬁed algorithm gives only an approximation of the constant term f (0, . . . , 0).
References 1. Cochrane, T., Pinner, C., Rosenhouse, J.: Bounds on exponential sums and the polynomial Waring problem mod p. J. London Math. Soc. 67(2), 319–336 (2003) 2. Shparlinski, I., Winterhof, A.: A hidden number problem in small subgroups. Math. Comp. 74(252), 2073–2080 (2005) 3. Shparlinski, I., Winterhof, A.: Noisy interpolation of sparse polynomials in finite fields. Appl. Algebra Engrg. Comm. Comput. 16(5), 307–317 (2005)
178
´ Ibeas and A. Winterhof A.
4. Shparlinski, I.E.: Sparse polynomial approximation in finite fields. In: Proceedings of the ThirtyThird Annual ACM Symposium on Theory of Computing, pp. 209–215. ACM, New York (2001) (electronic) 5. Shparlinski, I.E.: Playing ‘hideandseek’ with numbers: the hidden number problem, lattices and exponential sums. In: Publickey cryptography. Proc. Sympos. Appl. Math., vol. 62, pp. 153–177. Amer. Math. Soc., Providence (2005) 6. Shparlinski, I.E., Winterhof, A.: A nonuniform algorithm for the hidden number problem in subgroups. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 416–424. Springer, Heidelberg (2004) 7. Winterhof, A.: On Waring’s problem in finite fields. Acta Arith. 87(2), 171–177 (1998)
New Commutative Semifields and Their Nuclei J¨ urgen Bierbrauer Department of Mathematical Sciences Michigan Technological University Houghton, Michigan 49931 (USA)
Abstract. Commutative semifields in odd characteristic can be equivalently described by planar functions (also known as PN functions). We describe a method to construct a semifield which is canonically associated to a planar function and use it to derive information on the nuclei directly from the planar function. This is used to determine the nuclei of families of new commutative semifields of dimensions 9 and 12 in arbitrary odd characteristic. Keywords: PN functions, planar functions, presemifields, semifields, middle nucleus, kernel, DembowskiOstrom polynomial, isotopy, strong isotopy.
1
Introduction
Until recently the only known families of commutative semiﬁelds in arbitrary odd characteristic aside of the ﬁelds themselves were the classical constructions by Dickson [7] and Albert [1]. The ﬁrst provably new such general constructions were given in ZhaKyureghyanWang [11] and [2]. The families constructed in BudaghyanHelleseth [3] may be new as well but this seems to remain unproved. The survey article of Kantor [9] gives more background information and comments on the scarcity of known commutative semiﬁelds in odd characteristic, in particular when the characteristic is > 3. Definition 1. A presemifield is a set F with two binary relations, addition and ∗, such that – – – –
F is a commutative group with respect to addition, with identity 0. F ∗ is a loop under multiplication. 0 ∗ a = 0 for all a. The distributive laws hold.
If moreover there is an element e ∈ F such that e ∗ x = x ∗ e = x for all x we speak of a semifield. Definition 2. Let F = Fpr for an odd prime p. A function f : F −→ F is perfectly nonlinear (PN), also called a planar function, if for each 0 = a ∈ F the directional derivative δa defined as δa (x) = f (x + a) − f (x) is bijective. M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 179–185, 2009. c SpringerVerlag Berlin Heidelberg 2009
180
J. Bierbrauer
i Let f : F −→ F and write it as a polynomial f (x) = r−1 i=0 ai x . Then f is a DembowskiOstrom (DO)polynomial if all its monomials have pweight ≤ 2 (the exponents are sums of two powers of p). In odd characteristic planar DOpolynomials are equivalent with commutative presemiﬁelds, see CoulterHenderson [4]: Theorem 1. The following concepts are equivalent: – Commutative presemifields in odd characteristic. – DembowskiOstrom polynomials which are PN functions. The relation between those concepts is identical to the equivalence between quadratic forms and bilinear forms in odd characteristic, with the planar function in the role of the quadratic form. If ∗ is the presemiﬁeld product, then the corresponding planar function is f (x) = x ∗ x. When the planar function is given, the corresponding semiﬁeld product is x ∗ y = (1/2){f (x + y) − f (x) − f (y)}.
(1)
For an overview see also Section 9.3.2 of Horadam [8]. One way to construct a semiﬁeld from a commutative presemiﬁeld is the following: choose 0 = e ∈ F and deﬁne the new multiplication ◦ by (x ∗ e) ◦ (y ∗ e) = x ∗ y. Then ◦ describes a semiﬁeld with unit element e ∗ e. Definition 3. Let F = Frp be the rdimensional vector space over Fp . Consider presemifields on F whose additions coincide with that of F. Two such presemifield multiplications ∗ and ◦ on F are isotopic if there exist α1 , α2 , β ∈ GL(r, p) such that β(x ◦ y) = α1 (x) ∗ α2 (y) always holds. They are strongly isotopic if we can choose α2 = α1 . This notion of equivalence is motivated by the fact that two presemiﬁelds are isotopic if and only if the corresponding projective planes are isomorphic. Let F = Fpr be the ﬁeld of order pr . It is a commonly used method to replace a given commutative semiﬁeld of order pr by an isotopic copy which is deﬁned on F and shares the additive structure and the unit element 1 with F. The question is then to which degree the semiﬁeld structure can be made to coincide with the ﬁeld structure. As associativity is the only ﬁeld axiom that a commutative semiﬁeld does not satisfy it is natural that associativity will be in the center of interest. Definition 4. Let F = Fpr and (F, ∗) a commutative semifield with unit 1 whose additive structure agrees with that of the field F. Define S = {c ∈ F c ∗ x = cx for all x ∈ F }. M = {c ∈ F (x ∗ c) ∗ y = x ∗ (c ∗ y) for all x, y ∈ F }. K = {c ∈ F c ∗ (x ∗ y) = (c ∗ x) ∗ y for all x, y ∈ F }.
New Commutative Semifields and Their Nuclei
181
Here the dimensions of the middle nucleus M and of the kernel or left nucleus K of a commutative semiﬁeld are invariant under isotopy. The dimension of S depends on the embedding of the semiﬁeld in the ﬁeld F. As mentioned in [5] we have K ⊆ M (if a ∗ (x ∗ y) = (a ∗ x) ∗ y for all x, y, then this also equals (a ∗ y) ∗ x = (y ∗ a) ∗ x = (x ∗ a) ∗ y = x ∗ (a ∗ y)). As M is closed under semiﬁeld multiplication and is associative it is a ﬁeld. The semiﬁeld multiplication on M can therefore be made to coincide with ﬁeld multiplication. The same is true of the vector space structure of F over its subﬁeld M. It follows that we can ﬁnd a suitable isotope such that K ⊆ M ⊆ S. Here are the constructions from [11] and [2]: Theorem 2. Let p be an odd prime, q = ps , q = pt , F = Fq3 , s = s/ gcd(s, t), t = t/ gcd(s, t), s odd. Let f : F −→ F be defined by
f (x) = x1+q − vxq
2
+q q
where ord(v) = q 2 + q + 1.
Then f is a PN function in each of the following cases: – s + t ≡ 0 (mod 3). – q ≡ q ≡ 1 (mod 3) Theorem 3. Let p be an odd prime, q = ps , q = pt , K = Fq ⊂ F = Fq4 such that 2s/ gcd(2s, t) is odd, q ≡ q ≡ 1 (mod 4). Let f : F −→ F be defined by
f (x) = x1+q − vxq
3
+q q
where ord(v) = q 3 + q 2 + q + 1.
Then f is a PN function. The ﬁrst family of Theorem 2 is constructed in [11], the second family of Theorem 2 and Theorem 3 are from [2]. In the generic case the ﬁrst family of Theorem 2 is new as was shown in [11]. It was proved in [2] that the semiﬁelds of order p4s isotopic to the special case t = 2, s > 1 odd of Theorem 3 are not isotopic to Dickson or Albert semiﬁelds. Let f (x) be a DembowskiOstrom polynomial which is a PN function and ∗ the corresponding presemiﬁeld product (x ∗ y = (1/2){f (x + y) − f (x) − f (y)}). In the following section we decribe a canonical construction of a (commutative) semiﬁeld strongly isotopic to (F, ∗) which allows to read oﬀ information on the nuclei directly from f (x). In the last section we continue studying lowdimensional subfamilies of the planar functions of Theorems 2,3. In particular we describe 12dimensional semiﬁelds with middle nucleus of dimension 2 and kernel Fp as well as a new family of 9dimensional semiﬁelds all of whose nuclei agree with the prime ﬁeld. In the sequel p always denotes an odd prime.
182
2
J. Bierbrauer
From Commutative Presemifields to Semifields in Odd Characteristic
Definition 5. Let f (X) be a DOpolynomial defined on F = Fpr for odd p. Let i G = Gal(F Fp ) = {g0 = id, g1 , . . . , gr−1 } be the Galois group where gi (x) = xp . Write r−1 f (X) = ai gi (X 2 ) + bjk gj (X)gk (X) i=0
j
where ai , bjk ∈ F. If f (X) is also a planar function, then the presemifield product defined by f (X) is x∗y = ai gi (xy) + (bjk /2)(gj (x)gk (y) + gk (x)gj (y)) i
j
i
Let ti (X) = X p − X. Lemma 1. tmu (X) is a polynomial in tm (X). u−1
Proof. Let Q = pm . Then tmu (X) = tm (X)Q g(u−1)m (tm (X)) + . . . + tm (X).
u−2
+ tm (X)Q
+ . . . + tm (X) =
Proposition 1. Let p odd, F = Fpr and (F, ∗) a commutative presemifield. Let α ∈ GL(r, p) and define a product ◦ by α(1) ∗ α(x ◦ y) = α(x) ∗ α(y). Then (F, ◦) is a commutative semifield with unit 1. It is strongly isotopic to (F, ∗). Proof. Obviously (F, ◦) is a commutative presemiﬁeld. It is related to (F, ∗) by the strong isotopy β(x ◦ y) = α(x) ∗ α(y) where β(x) = α(1) ∗ α(x). Choosing y = 1 shows α(1) ∗ α(x ◦ 1) = α(x) ∗ α(1). It follows x ◦ 1 = x. In case α = id we obtain 1 ∗ (x ◦ y) = x ∗ y. This is made explicit in the following deﬁnition and theorem. Definition 6. Let F = Fpr for odd p and f (x) a planar DOpolynomial on F. The associated semifield function is B(f (x)) where B ∈ GL(r, p) is the inverse of A(x) = x ∗ 1. The associated semifield product is the product ◦ defined by B(f (x)). r−1 2 Theorem 4. Let f (X) = j
New Commutative Semifields and Their Nuclei
183
Proof. Let x ∗ y be the presemiﬁeld product deﬁned by f (X). We have (bjk /2)(gj (x) + gk (x)) A(x) = x ∗ 1 = ai gi (x) + j
and f (x) = A(x2 ) +
(bjk /2)(2gj (x)gk (x) − gj (x2 ) − gk (x2 )).
j
The expression in parenthesis is 2gj (x)gk (x) − gj (x2 ) − gk (x2 ) = −(gk (x) − gj (x))2 = −gj (tk−j (x)2 ). This yields the associated semiﬁeld function B(f (x)) = x2 − B( (bjk /2)gj (tk−j (x)2 )) j
and the associated semiﬁeld product x ◦ y = xy − B( (bjk /2)gj (tk−j (x)tk−j (y)). j
This follows from the linearity of Equation 1 and the fact that a term x2 in the planar function turns into xy in the presemiﬁeld product. Observe that tmu (X) is a polynomial in tm (X) by Lemma 1. Let c ∈ Fpm . Then c◦x = cx as tm (c) = 0. This shows Fpm ⊆ S(F, ◦). In order to show Fpm ⊆ M(F, ◦) it remains to be shown (cx) ◦ y = x ◦ (cy) for all x, y. This also follows directly from the fact that tk−j (cx) = ctk−j (x) for all k, j such that bjk = 0. Theorem 5. In the situation of Theorem 4 let l be the greatest common divisor of r and the numbers i, j, k where ai = 0 and j < k such that bjk = 0. Then the associated semifield has Fpl in its left nucleus. Proof. Let c ∈ Fpl . We have to show (cx) ◦ y = c(x ∗ y). This follows from the form of B(f (x)) as given in the proof of Theorem 4 and the fact that A(x) and its inverse B(x) are linear over Fpl .
3
Some Semifields and Their Nuclei
Theorem 6. The semifields of order p12 associated to the presemifields in case s = 3, t = 2 of Theorem 3 have middle nucleus Fp2 and kernel Fp . Proof. We have p ≡ 1 (mod 4), F = Fp12 and ord(v) = p9 + p6 + p3 + 1. The planar function is 2 5 9 f (x) = x1+p − vxp +p . It follows from Theorem 4 that the middle nucleus M of the associated semiﬁeld (F, ◦) has even dimension. It was shown in [2] that dim(M) is not a multiple of
184
J. Bierbrauer
6. If dim(M) > 2, then dim(M) = 4. By a result of Menichetti [10] the semiﬁeld would be Albert which is not the case as we proved in [2]. It follows M = Fp2 . We have x ◦ y = xy − (1/2)B(t2 (x)t2 (y)) + (1/2)B(vg5 (t4 (x)t4 (y))) (see the proof of Theorem 4) and t4 (X) = t2 (X) + g2 (t2 (X)). Let K(X, Y ) be the polynomial such that x ◦ y = xy + K(t2 (x), t2 (y)). Then 2
2
K(X, Y ) = −(1/2)B(XY − vg5 ((X + X p )(Y + Y p )) = 5
7
5
7
7
5
= −(1/2)B(XY − v(XY )p − v(XY )p − vX p Y p − vX p Y p ). Assume dim(K) > 1. Then K = M = Fp2 . It has been proven in [5], Theorem 2 2 4.2, that this is equivalent with K(X, Y ) being a polynomial in X p and Y p . Although we do not know B explicitly it is obvious that this condition cannot be 11 i i+2 satisﬁed. In fact, let B(x) = i=0 βi gi (x). The absence of monomials X p Y p i for odd i shows β0 = β2 = . . . = β10 = 0. As (XY )p is absent for odd i we have 0 = βi − gi−5 (v)βi−5 − gi−7 (v)βi−7 = βi . This yields the contradiction B ≡ 0. We turn to Theorem 2. The smallest dimension for which new planar functions may result is r = 9 for the second subfamily. Here t should not be a multiple of 3 as otherwise a ﬁeld or an Albert twisted ﬁeld is obtained. Up to obvious 4 6 isotopy equivalences there are three cases, f (x) = x1+p −vxp +p , f (x) = x1+p − 3 7 2 3 8 vxp +p , f (x) = x1+p − vxp +p . We show that those yield new semiﬁelds all of whose nuclei agree with the prime ﬁeld: Theorem 7. Let p ≡ 1 (mod 3), q = p3 , K = Fq ⊂ F = Fp9 and ord(v) = q 2 + q + 1. The semifields of order p9 associated to the planar functions 4
f (x) = x1+p − vxp
+p6
3
, f (x) = x1+p − vxp
+p7
2
3
or f (x) = x1+p − vxp
+p8
have middle nucleus Fp and are not isotopic to a commutative Albert semifield. Proof. Assume the middle nucleus M of a corresponding semiﬁeld has dimension > 1. Then the dimension is 3. By Menichetti [10] we are in the Albert case. It suﬃces therefore to prove that our presemiﬁeld is not isotopic to a commutative Albert presemiﬁeld. There are four cases to consider. Corresponds ing presemiﬁelds are described by the monomial planar functions X 1+p where s ∈ {1, 2, 3, 4}. Here case s = 3 corresponds to the uniquely determined Albert semiﬁeld with nucleus of dimension 3, the remaining values of s are representatives of the three isotopism classes of commutative Albert presemiﬁelds whose corresponding semiﬁelds have nucleus of dimension 1. Assume we have isotopy with one of those commutative Albert presemiﬁelds. It follows from CoulterHenderson [4], Corollary 2.8 that there is a strong isotopy. There exist invertible linear mappings 8 8 ai gi (x), β(x) = bi gi (x) α(x) = i=0
i=0
New Commutative Semifields and Their Nuclei
such that
185
s
α(x)1+p = β(f (x)). We complete the proof for the ﬁrst type f (x). The proofs in the remaining cases are analogous. Observe that in the exponents modular distances (in the circle of length 9) d = 0, d = 3, d = 4 do not occur. In the case of distance d = 0 this yields ai ai+s = 0 for all i. The equations for d = 3 and d = 4 are the following: ai gs (ai+3−s ) + ai+3 gs (ai−s ) = 0. ai gs (ai+4−s ) + ai+4 gs (ai−s ) = 0. Without restriction a0 = 0. It follows as = a−s = 0. Evaluating the d = 3 equation for i ∈ {0, −3, s, s − 3} and the d = 4 equation for i ∈ {0, −4, s, s − 4} shows ai = 0 for i ∈ ±{s, s − 3, s − 4, s + 3, s + 4}. For s = 3 or s = 4 this yields the contradiction a0 = 0. For s = 1 or s = 2 the contradiction ai = 0 for all i = 0 is obtained.
References 1. Albert, A.A.: On nonassociative division algebras. Transactions of the American Mathematical Society 72, 296–309 (1952) 2. Bierbrauer, J.: New semifields, PN and APN functions. Designs, Codes and Cryptography (submitted) 3. Budaghyan, L., Helleseth, T.: New perfect nonlinear multinomials over Fp2k for any odd prime p,. In: Golomb, S.W., Parker, M.G., Pott, A., Winterhof, A. (eds.) SETA 2008. LNCS, vol. 5203, pp. 403–414. Springer, Heidelberg (2008) 4. Coulter, R.S., Henderson, M.: Commutative presemifields and semifields. Advances in Mathematics 217, 282–304 (2008) 5. Coulter, R.S., Henderson, M., Kosick, P.: Planar polynomials for commutative semifields with specified nuclei. Designs, Codes and Cryptography 44, 275–286 (2007) 6. Coulter, R.S., Matthews, R.W.: Planar functions and planes of LenzBarlotti class II. Designs, Codes and Cryptography 10, 167–184 (1997) 7. Dickson, L.E.: On commutative linear algebras in which division is always uniquely possible. Transactions of the American Mathematical Society 7, 514–522 (1906) 8. Horadam, K.J.: Hadamard matrices and their applications. Princeton University Press, Princeton (2007) 9. Kantor, W.M.: Commutative semifields and symplectic spreads. Journal of Algebra 270, 96–114 (2003) 10. Menichetti, G.: On a Kaplansky conjecture concerning threedimensional division algebras over a finite field. Journal of Algebra 47, 400–410 (1977) 11. Zha, Z., Kyureghyan, G.M., Wang, X.: Perfect nonlinear binomials and their semifields. Finite Fields and Their Applications 15, 125–133 (2009)
Spreads in Projective Hjelmslev Geometries Ivan Landjev New Bulgarian University, 21 Montevideo str., 1618 Sofia, Bulgaria and Institute of Mathematics and Informatics, BAS, 8 Acad. G. Bonchev str., 1113, Sofia, Bulgaria
Abstract. We prove a necessary and sufficient condition for the existence of spreads in the projective Hjelmslev geometries PHG(RRn+1 ). Further, we give a construction of projective Hjelmslev planes from spreads that generalizes the familiar construction of projective planes from spreads in PG(n, q). Keywords: Projective Hjelmslev geometry, projective Hjelmslev plane, spread, finite chain ring. Subject Classifications: 51E26, 51E21, 51E22, 94B05.
1 Introduction In this paper, we introduce spreads in the projective Hjelmslev geometries PHG(Rn+1 R ). There exists an extensive literature about spreads in the projective geometries PG(k, q) (cf. [5] and the references there). The same objects in ring geometries have attracted little or no attention despite the connections with interesting areas as linear codes over finite chain rings. In what follows, we restrict ourselves mainly to spreads in geometries over chain rings of nilpotency index 2. This is a necessary step towards investigating geometries over chain rings of larger nilpotency index, because of the nested structure of the projective Hjelmslev geometries. On the other hand, geometries over rings have less regularities than the usual projective geometries, we settle for a problem that is tractable to some extent. Finally, there exists a complete classification for the chain rings R with R = q2 , R/ radR ∼ = Fq , so that in this case we have a description of all coordinate geometries. This paper is organized as follows. In Section 2, we give some basic facts about finite chain rings and the structure of projective Hjelmslev geometries over such rings. In Section 3, we prove a necessary and sufficient condition for the existence of spreads in the projective Hjelmslev geometries PHG(Rn+1 R ), where R is a finite chain ring of nilpotency index 2. We sketch the proof of the main theorem for arbitrary chain rings. In Section 4, we present a construction of projective Hjelmslev planes from spreads in PHG(Rn+1 R ). M. BrasAmorós and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 186–194, 2009. c SpringerVerlag Berlin Heidelberg 2009
Spreads in Projective Hjelmslev Geometries
187
2 Basic Facts on Projective Hjelmslev Geometries A finite ring R (associative, with identity 1 = 0, ring homomorphisms preserving the identity) is called a left (resp. right) chain ring if the lattice of its left (resp. right) ideals forms a chain. It turns out that every left ideal is also a right ideal. Moreover, if N = rad R every proper ideal of R has the form N i = Rθi = θi R, for any θ ∈ N \ N 2 and some positive integer i. The factors N i /N i+1 are onedimensional linear spaces over R/N. Hence, if R/N ∼ = Fq and m denotes the nilpotency index of N, the number of elements of R is equal to qm . For further facts about chain rings, we refer to [2,10,11]. As mentioned above, we consider chain rings of nilpotency index 2, i.e. chain rings with N = (0) and N 2 = (0). Thus we have always R = q2 , where R/N ∼ = Fq . Chain rings with this property have been classified in [3,12]. If q = pr there are exactly r + 1 isomorphism classes of such rings. These are: • for every σ ∈ Aut Fq the ring Rσ ∼ = Fq [X; σ]/(X 2 ) of socalled σdual numbers over addition and multiplication given Fq with underlying set Fq × Fq , componentwise by (x0 , x1 )(y0 , y1 ) = x0 y0 , x0 y1 + x1 σ(y0 ) ; • the Galois ring GR(q2 , p2 ) ∼ = Z p2 [X]/( f (X)), where f (X) ∈ Z p2 [X] is a monic polynomial of degree r, which is basic irreducible (cf. [10]). The rings Rσ with σ = id are noncommutative, while Rid is commutative. Moreover, char Rσ = p for every σ. The Galois ring GR(q2 , p2 ) is commutative and has characteristic p2 . From now on we denote by R a finite chain ring of nilpotency index 2. The only exception will be Theorem 8, where R is a chain ring of an arbitrary nilpotency index. Let R be a finite chain ring and consider the module M = RkR . Denote by M ∗ the set of all nontorsion vectors of M, i.e. M ∗ = M \ Mθ. Define sets P and L by
P = {xR; x ∈ M ∗ }, L = {xR + yR; x, y ∈ M ∗ , x, y linearly independent}, respectively, and take as incidence relation I ⊆ P × L settheoretical inclusion. Further, define a neighbour relation on the sets of points and lines of the incidence structure (P , L , I) as follows: Y ) if there exist two different (N1) the points X,Y ∈ P are neighbours (notation X lines incident with both of them; (N2) the lines s,t ∈ L are neighbours (notation s t) if there exist two different points incident with both of them. The incidence structure Π = (P , L , I) with the neighbour relation is called the (k−1)dimensional (right) projective Hjelmslev geometry over R and is denoted by PHG(RkR ). The point set S ⊆ P is called a Hjelmslev subspace (or simply subspace) of PHG(RkR ) if for every two points X,Y ∈ S , there exists a line l incident with X and Y that is incident only with points of S . The Hjelmslev subspaces of PHG(RkR ) are of the form {xR; x ∈ U ∗ }, where U is a free submodule of M. The (projective) dimension of a subspace is equal to the rank of the underlying module minus 1. It is easily checked that is an equivalence relation on each one of the sets P and L . If [X] denotes the set of all points that are neighbours to X = xR, then [X] consists
188
I. Landjev
of all free rank 1 submodules of xR + Mθ. Similarly, the class [l] of all lines which are neighbours to l = xR + yR consists of all free rank 2 submodules of xR + yR + Mθ. More generally, two subspaces S and T , dim S = s, dim T = t, s ≤ t, are neighbours if {[X]; X ∈ S } ⊆ {[X]; X ∈ T }. In particular, we say that the point X is a neighbour of the subspace S if there exists a point Y ∈ S with X Y . The neighbour class [S ] contains all subspaces of dimension s that are neighbours to S . The next theorems give some insight into the structure of the projective Hjelmslev geometries PHG(RkR ) and are part of more general results [1,4,6,7,8,9,13]. As usual, n k q denotes the Gaussian coefficient: n (qn − 1)(qn−1 − 1) . . . (qn−k+1 − 1) = . k q (qk − 1)(qk−1 − 1) . . . (q − 1) Theorem 1. Let Π = PHG(RkR ) where R is a chain ring with R = q2 , R/N ∼ = Fq . Then k −1 (i) the number of points (hyperplanes) in Π is qk−1 nk q = qk−1 · qq−1 ; k−1 (ii) every point (hyperplane) has q neighbours; (iii) every subspace of dimension s − 1 is contained in exactly q(t−s)(k−t) k−s t−s q subspaces of dimension t − 1, where s ≤ t ≤ k; (iv) given a point P and a subspace S of dimension s − 1 containing P, there exist exactly qs−1 points in S that are neighbours to P. Note that the Hjelmslev spaces PHG(RkR ) are 2uniform in the sense of [4]. Denote by η the natural homomorphism from Rk to Rk /Rk θ and by η the mapping induced by η on the submodules of Rk . It is clear that for every point X and every line l we have [X] = {Y ∈ P ; η(Y ) = η(X)}, [l] = {m ∈ L ; η(m) = η(l)}.
P
(resp. L ) the set of all neighbour classes of points (resp. lines). Let us denote by The following result is straightforward. Theorem 2. The incidence structure (P , L , I ) with incidence relation I defined by [X] I [l] ⇐⇒ ∃Y ∈ [X], ∃ m ∈ [l] : Y I m is isomorphic to the projective geometry PG(k − 1, q) Let S0 be a fixed subspace in PHG(RkR ) with dim S0 = s. Define the set P of subsets of P by P = {S ∩ [X]; X S0 , S ∈ [S0 ]}. The sets S ∩ [X] are either disjoint or coincide. Define an incidence relation I ⊂ P × L by / (S ∩ [X])I l ⇐⇒ l ∩ (S ∩ [X]) = 0.
Spreads in Projective Hjelmslev Geometries
189
Let L (S0 ) be the set of all lines in L incident with at least one point in P. For the lines l1 , l2 ∈ L (S0 ) we write l1 ∼ l2 if they are incident (under I) with the same elements of P. The relation ∼ is an equivalence relation under which L (S0 ) splits into classes of equivalent lines. Denote by L a set of representatives of the equivalence classes of lines in L (S0 ). The set of representatives L contains only two types of lines: lines l with l S0 . S0 and lines l with l Theorem 3. The incidence structure (P, L, I P×L ) can be embedded into PG(k−1, q). A special case of this result is obtained if we take S0 to be a point. Given Π = (P , L , I) = PHG(RkR ) and a point P ∈ P , let L (P) be the set of all lines in L incident with points in [P]. For two lines s,t ∈ L (P) we write s ∼ t if s and t coincide on [P]. Denote by L1 a complete list of representatives of the lines from L (P) with respect to the equivalence relation ∼. Then we have the following result: Theorem 4
([P], L1 , I[P]×L1 ) ∼ = AG(k − 1, q).
Finally, let two points X1 and X2 in Π = PHG(RkR ) be neighbours. Then any two lines incident with X1 and X2 are neighbours and belong to the same class, [l] say. In such case we say that the neighbour class [l] has the direction of the pair (X1 , X2 ).
3 The Existence of Spreads in Projective Hjelmslev Geometries Definition 5. An rspread of the projective Hjelmslev geometry PHG(Rn+1 R ) is a set S of rdimensional subspaces such that every point is contained in exactly one subspace of S . Theorem 6. Let R be a chain ring with R = q2 , R/ rad R ∼ = Fq . There exists a spread S of rdimensional spaces of PHG(RnR ) if and only if r + 1 divides n + 1. Proof. The number of points in an rdimensional subspace is qr r+1 1 q . The existence of r+1 r+1 r a spread of r dimensional subspaces implies that q 1 q divides qn n+1 1 q , i.e. 1 q divides n+1 , i.e. r + 1 divides n + 1. 1 q Assume that r + 1 divides n + 1 and let s be determined by n + 1 = (s + 1)(r + 1). First we consider the case where R = GR(q2 , p2 ). Take an algebra of dimension r + 1 over R = GR(q2 , p2 ), e.g. let this algebra be Rr+1 = R[X]/( f (X)) = GR(q2(r+1) , p2 ), where f is a monic irreducible polynomial of degree r + 1 over R. If α is a root of f in Rr+1 then every element β from Rr+1 can be written as β = b0 + b1 α + . . . + br αr , bi ∈ R. n+1 are isomorphic as modules over R. Thus each point in Clearly, Rs+1 r+1 , Rn+1 and R n+1 PHG(RR ) can be represented by an (s + 1)tuple of elements from Rr+1 or as a unit in Rn+1 . In the same time, every (s + 1)tuple over Rr+1 that has at least one coordinate that is a unit, can be viewed as a point in PHG(Rs+1 r+1 ).
190
I. Landjev
∗ Let (γ0 , γ1 , . . . , γs ) ∈ (Rs+1 r+1 ) be a nontorsion vector. Without loss of generality, let γ0 = 0. Consider the system −γ1 x0 + γ0 x1 =0 −γ2 x0 + + γ x =0 0 2 . (1) . .. ... = 0 −γs x0 + + γ0 xs = 0
The choice of the nonzero element is not essential. If we take γ j = 0. The system (1) is equivalent to −γi x j + γ j xi = 0 for i = 0, 1, . . . , s, i = j. The solutions of (1) form a free s+1 submodule of rank 1 Rs+1 r+1 , i.e. a point in PHG(Rr+1 ). This rank 1 submodule can be considered as a free submodule of rank (r + 1) of Rn+1 R , i.e. a rdimensional subspace of PHG(Rn+1 ). Two (r + 1)dimensional subspaces in Rn+1 obtained from different 1R R s+1 dimensional subspaces of Rr+1 do not have a common nontorsion vector. Now consider two different points (γ0 , γ1 , . . . , γs ) and (δ0 , δ1 , . . . , δs ) in PHG(Rs+1 r+1 ). These points give rise to systems of the type (1) having as solutions different points of s+1 PHG(Rs+1 r+1 ) (1dimensional subspaces of Rr+1 ). Assume otherwise and let the (s + 1)tuple (x0 , x1 , . . . , xs )=(0, 0, . . . , 0) be a common solution of the two systems. Then x0 = λγ0 = µδ0 , x1 = λγ1 = µδ1 , . . . , xs = λγs = µδs , where λ, µ ∈ Rr+1 , λ, µ = 0. This is a contradiction since the points (γ0 , γ1 , . . . , γs ) and (δ0 , δ1 , . . . , δs ) were assumed to be different. It remains to prove that every point is contained in a rdimensional subspace. The n n+1 ; the number of points in an rdimensional ) is q number of points in PHG(Rn+1 R 1 q s(r+1) s+1 subspace is qr r+1 and the number of points in PHG(Rs+1 r+1 ) is q 1 q 1 qr+1 . Now we have r+1 s+1 qr+1 − 1 s(r+1) q(s+1)(r+1) − 1 n n+1 ·q = q · qs(r+1) = qr , qr 1 q 1 qr+1 1 q q−1 qr+1 − 1 which means that the rdimensional subspaces cover all points of PHG(Rn+1 R ). Secondly, consider the case where R is the ring of σ dual numbers over the finite field Fq , i.e. R = Rσ = Fq + tFq . Denote by R the ring of σ dual numbers Fqr+1 + tFqr+1 , where σ Fqr+1 = σ. Similarly, let R be the ring of σ dual numbers Fqn+1 + tFqn+1 , where σ Fqn+1 = σ . The ring R is a subring of R which in turn is a subring of R . As
and Rn+1 and R R are isomorphic as (right) submodules over R. above, R s+1 R R Consider an arbitrary nontorsion vector (γ0 , γ1 , . . . , γs ) ∈ R R s+1 . Fix a component which is a unit, γ0 say, and consider the system of linear equations (1). The set of solutions of (1) is a free rank 1 submodule of R s+1 which can be viewed as a free rank R r submodule of Rn+1 R . Further the proof is completed as for Galois rings. Remark 7. Assume r + 1 divides n + 1. We can prove the existence of a spread of rdimensional subspaces using the nested structure of the projective Hjelmslev geometries.
Spreads in Projective Hjelmslev Geometries
191
Let H0 be a fixed subspace in PHG(RkR ) with dim H0 = r. Define the set P of subsets of P by P = {H ∩ [X]; X H0 , H is a subspace, dim H = s, H ∈ [H0 ]}. The sets H ∩ [X] are either disjoint or coincide. Define an incidence relation I ⊂ P × L by / (H ∩ [X])I l ⇐⇒ l ∩ (H ∩ [X]) = 0. Let L (H0 ) be the set of all lines in L incident with at least one point in P. For the lines l1 , l2 ∈ L (H0 ) we write l1 ∼ l2 if they are incident (under I) with the same elements of P. The relation ∼ is an equivalence relation under which L (H0 ) splits into nonintersecting classes of equivalent lines. Denote by L a set of representatives of the equivalence classes of lines in L (H0 ). The set of representatives L contains only two types of lines: H0 . lines l with l H0 and lines l with l It is known from [6] that the incidence structure (P, L, I P×L ) can be embedded isomorphically into the projective geometry PG(k − 1, q). Hence we can construct a spread in PHG(Rn+1 R ) in the following way. We start with a spread in the factor geometry PG(n, q). This spread defines a set of neighbourhood classes of projective rsubspaces. Each one of these classes is isomorphic in the sense of the above mentioned result to a projective geometry PG(n, q) with an (n − r − 1)dimensional space deleted. Now it suffices to take a spread which contains a spread of the deleted (n − r − 1)dimensional subspace. A spread with this property can be constructed, for instance, by repeating the construction from the proof of Theorem 6. The exceptional (n − r − 1)dimensional space can be taken as the space consisting of all points having zeros in the first r + 1 positions. Theorem 6 can be generalized to projective Hjelmslev geometries over arbitrary chain rings R. Theorem 8. Let R be a chain ring with R = qm , R/ rad R ∼ = Fq . The ndimensional projective Hjelmslev geometry PHG(Rn+1 ) has a spread of rdimensional projective R Hjelmslev subspaces if and only if r + 1 divides n + 1. Proof. We give only a sketch of a proof. For the sake of convenience, we set N = rad R = θR. As before, the "only if"part is straightforward. The proof of the "if"part uses induction on m and n. This result is obviously true for m = 1 and 2. It is also trivial if n = r for every m. Consider the factor geometry having as points the (m − 1)neighbour classes on points. It is isomorphic to PHG((Rk /θm−i Rk )R/N m−i (cf. [6]). By the induction hypothesis, it has a spread of rdimensional projective Hjelmslev subspaces. The preimage of these subspaces are of the form [Δ]m−1 where Δ is an rdimensional Hjelmslev subspace in PHG(Rn+1 R ). Here [Δ] j is the class of all rdimensional Hjelmslev subspaces that are ∼ jth neighbours to Δ. Now [Δ] j can be imbedded isomorphically in PHG((R/N)n+1 R/N ) = PG(n, q) (cf. [6]) where the missing part is an (n − r − 1)dimensional subspace, H say. Since r + 1 divides n − r = (n + 1) − (r + 1), we have that H contains a spread by the induction hypothesis. Now it is enough to take a spread which contains as a subset the spread of the missing (n − r − 1)dimensional subspace.
192
I. Landjev
4 Projective Hjelmslev Planes from Spreads Spreads in Π = PHG(Rn+1 R ) can be used to construct projective Hjelmslev planes. Set n = 2t − 1, r = t − 1, s = 1. By Theorem 6 , there exists a spread S of rdimensional subspaces of Π such that its image under the canonical map η is a (multiple of a) spread in PG(n, q). = PHG(Rn+2 ), e.g. by taking by taking as The geometry Π can be imbedded in Π R with first coordinate 0. Hence Π can be considered as a points of Π all points of Π Denote by [Π] the set of all neighbour hyperpalnes to Π in Π. Define hyperplane of Π. a new incidence structure as follows: Take as points: that are not incident with a point of [Π]. These are called proper (1) all points of Π points and their number is: qn+1
qn+2 − 1 qn+1 − 1 − qn+1 = q2(n+1) = q4t . q−1 q−1
(2) all subspaces of the form S, P ∩ H, \ [Π] and H is where S is an rdimensional subspace from S , P is a point from Π a hyperplane of Π contained in the neighbour class [Π]. We cann call these ideal points. The number of choices for the point P is q4t = q2(n+1) . The number of choices for S ∈ S is qn q q−1−1 n+1
S  =
qr q q−1−1 r+1
=
q2t−1 (q2t − 1) = qt (qt + 1). qt−1 (qt − 1)
The number of choices for H ∈ [Π] is qn+1 = q2t . For all points Q in S, P \ [Π], we have S, Q ∩ H = S, P ∩ H i.e. we get the same point in the new incidence structure. Hence for qr+1
qr+2 − 1 qr+1 − 1 − qr+1 = q2(r+1) = q2t . q−1 q−1
different points P we get the same (r + 1)dimensional subspace S, P. As lines we take: \ [Π], i.e. (1) all subspaces of the form S, P, where S ∈ S and P is a point from Π these are all (r + 1)dimensional subspaces through rdimensional subspaces in the spread; (2) all hyperplanes H from [Π].
Spreads in Projective Hjelmslev Geometries
193
For the ideal points, we For the proper points neighbourhood is inherited from Π. have that S , P ∩ H S , P ∩ H if and only if S and S are neighbours in Π. By definition, two lines 1 and 2 are neighbours if for every point X ∈ 1 there exists a point Y ∈ 2 with X Y , and, conversely, for every Y ∈ 2 there exists an X ∈ 1 with Y X. \ [Π] Lemma 9. Let S be an rdimensional subspace in Π and let P, Q be points from Π with P Q. Then S, P ∩ [Π] = S, Q ∩ [Π]. Proof. Assume there exists a point X ∈ [Π] with X ∈ S, Q, but X ∈ S, P. The lines PY and QY are neighbours. Therefore PY ∩ QY  = q. The common points of both lines must be neighbours to Y . Hence the q common points must lie in [Π], contradiction to the initial assumption. Lemma 10. The number of hyperplanes from [Π] through a fixed rdimensional flat S ∈ S (S ⊂ Π) is qt . Proof. Any rdimensional flat in an (n + 1)dimensional space can be given by a set of (n + 1) − r = t + 1 equations. Without loss of generality, let S be given by x0 = x1 = . . . = xt = 0 and let Π be the hyperplane defined by x0 = 0. An arbitrary hyperplane in [Π] containing S satisfies an equation of the form: x0 + θ(r1 x1 + r2 x2 + . . . + rt xt ) = 0.
(2)
We have θr = θs if and only if r − s ∈ rad R, therefore (2) describes all hyperplanes in [Π] through S when (r1 , r2 , . . . , rt ) runs Γt , where Γ is a set of elements no two of which are congruent modulo rad R. hence there are exactly q possibilities for each ri and the number of hyperplanes in [Π] through S is qt . According to Lemma 9 the number of the essentially different choices of P is qn+2 −1 q−1 qr+2 −1 q−1
− q q−1−1 n+1
−
qr+1 −1 q−1
=
qn+1 = qt . qr+1
qt (qt
+ 1) and the number of hyperplanes H from [Π] The number of choices for S is is q2t . On the other hand, by Lemma 10, we get the same intersection for qt different hyperplanes in [Π]. Each ideal point of the second type can be obtained for qt different subspaces S, P. Therefore the number of all points of the second type is qt · qt (qt + 1) · q2t = q3t + q2t . qt · qt Now it is a straightforward check that the defined incidence structure is indeed a projective Hjelmslev plane. Acknowledgements. This research has been supported by the Strategic Development Fund of The New Bulgarian University.
194
I. Landjev
References 1. Artmann, B.: HjelmslevEbenen mit verfeinerten Nachbarschaftsrelationen. Mathematische Zeitschrift 112, 163–180 (1969) 2. Clark, W.E., Drake, D.A.: Finite chain rings. Abhandlungen aus dem mathematischen Seminar der Universität Hamburg 39, 147–153 (1974) 3. Cronheim, A.: Dual numbers, Witt vectors, and Hjelmslev planes. Geometriae Dedicata 7, 287–302 (1978) 4. Drake, D.A.: On nUniform Hjelmslev Planes. Journal of Combinatorial Theory 9, 267–288 (1970) 5. Hirschfeld, J.W.P.: Projective geometries over finite fields. Clarendon Press, Oxford (1998) 6. Honold, T., Landjev, I.: Projective Hjelmslev geometries. In: Proc. of the International Workshop on Optimal Codes, Sozopol, pp. 97–115 (1998) 7. Kreuzer, A.: HjelmslevRäume. Resultate der Mathematik 12, 148–156 (1987) 8. Kreuzer, A.: Projektive HjelmslevRäume, Dissertation, Technische Universität München (1988) 9. Kreuzer, A.: Hjelmslevsche Inzidenzgeometrie  ein Bericht, Bericht TUMM9001, Technische Universität München, Beiträge zur Geometrie und Algebra Nr. 17 (January 1990) 10. McDonald, B.R.: Finite rings with identity. Marcel Dekker, New York (1974) 11. Nechaev, A.A.: Finite principal ideal rings. Mat. Sbornik of the Russian Academy of Sciences 20, 364–382 (1973) 12. Raghavendran, R.: Finite associative rings. Compositio Mathematica 21, 195–229 (1969) 13. Veldkamp, F.D.: Geometry over rings. In: Buekenhout, F. (ed.) Handbook of Incidence Geometry—Buildings and Foundations, pp. 1033–1084. Elsevier Science Publishers, Amsterdam (1995)
On the Distribution of Nonlinear Congruential Pseudorandom Numbers of Higher Orders in Residue Rings Edwin D. ElMahassni1 and Domingo Gomez2, 1
Department of Computing, Macquarie University North Ryde, NSW 2109, Australia [email protected] 2 Faculty of Science, University of Cantabria E39071 Santander, Spain [email protected]
Abstract. The nonlinear congruential method is an attractive alternative to the classical linear congruential method for pseudorandom number generation. In this paper we present new discrepancy bounds for sequences of stuples of successive nonlinear congruential pseudorandom numbers of higher orders modulo a composite integer M .
1
Background
For an integer M > 1, we denote by ZZM the residue ring modulo M . In this paper we present some distribution properties of a generalization of pseudorandom number generators, ﬁrst introduced in [7], deﬁned by a recurrence un+1 ≡ f (g1 (un , . . . , un−r+1 ), . . . , gr (un , . . . , un−r+1 ))
(mod M ),
(1)
where f (X1 , . . . , Xr ), g1 (X1 , . . . , Xr ), . . . , gr (X1 , . . . , Xr ) ∈ ZZM [X1 , . . . , Xr ] for n ≥ r − 1 with some initial values u0 , . . . , ur−1 . To study this pseudorandom number generator, we deﬁne the sequence of polynomials fk (X) ∈ ZZM [X], with X = X1 , . . . , Xr by the recurrence relation fk (X) ≡ fk−1 (g1 (X), . . . , gr (X))
(mod M ),
k≥1
(2)
where f0 (X) = f (X). It is obvious that (1) becomes periodic with some period t ≤ M r . Throughout this paper we assume that this sequence is purely periodic, i.e. un = un+t beginning with n = 0, otherwise we consider a shift of the original sequence.
Domingo Gomez is partially supported by the Spanish Ministry of Education and Science grant MTM20067088.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 195–203, 2009. c SpringerVerlag Berlin Heidelberg 2009
196
E.D. ElMahassni and D. Gomez
Although the distribution of nonlinear congruential generators has been studied extensively, see [5,6,9] for instance, much less is known for its higher orders analogue. A result for a class of polynomials for prime moduli was established in [7], where this was later extended to a larger family of polynomials in [8]. In this paper we show a generalization of this result to a larger class of pseudorandom number generators. 1.1
Notation and First Results
This section begins with some notation. It will be assumed that N, Ai , Bi and bi represent integer positive numbers and 0 is the rdimensional 0 vector. The elements of ZZM will be identiﬁed with the integers {0, . . . , M − 1}. For this reason, we can deﬁne eM (z) = exp(2πiz/M ) for any element z ∈ ZZM . For a polynomial f , G is the gcd of the coeﬃcients of nonconstant monomials with M . We will denote f (p) (X) ≡ f (X) (mod p) of total degree d for a polynomial f with integer coeﬃcients and total degree d. Finally, we deﬁne degXr f , the degree of the coeﬃcient Xr of the polynomial f , to be degXr modulo every prime factor p of M . Lemma 1. Given a polynomial in the ring ZZM [X], f (X) ≡
d1 i1 =0
...
dr
bi1 ,...,ir X1i1 . . . Xrir
(mod M )
ir =0
with degXr f ≥ 1 , total degree d, then exist polynomials h1 (Xr ), . . . , hr−1 (Xr ) of degree less than d(log d + 1) such that (p)
(p)
g (p) (Xr ) = f (p) (a1 + h1 (Xr ), . . . , ar−1 + hr−1 (Xr ), Xr )
(3)
is a nonconstant polynomial for any pM , p G and any values a1 , . . . , ar−1 ∈ ZZM . Proof. Let pM be a prime number not dividing G and D = log d + 1. By the deﬁnition of G, we note that f (p) (X) is not a constant polynomial and it can be expressed as f (p) (X) = h(X1 , . . . , Xr−1 )Xrd +f (X) where f (X) is a polynomial of degree stricly less than d in Xr . If d = 0 then f (p) (X) = h(X1 , . . . , Xr−1 ), but in any case h is a not a constant polynomial. Let IF be an extension ﬁeld of degree D over ZZp . By the cardinality of IF, there exist ξ1 , . . . , ξr−1 ∈ IF such as h(ξ1 , . . . , ξr−1 ) = 0. It is easy to check that
f (p) (X1 + ξ1 Xr , . . . , Xr−1 + ξr−1 Xr , Xr ) = h(ξ1 , . . . , ξr−1 )Xrd + f (X) (4) where d ≥ d > 0 and f (X) is a polynomial with total degree less than d − 1 in Xr . Let E be a extension ﬁeld of degree d + 1 over IF and let θ be a deﬁning element of E over both ZZp and E, i.e. E ≡ ZZp (θ) ≡ IF(θ).
On the Distribution of Nonlinear Congruential Pseudorandom Numbers
197
The evaluation of the polynomial in (4) f (p) (a1 + ξ1 θ, . . . , ar−1 + ξr−1 θ, θ) = 0,
a1 , . . . , ar−1 ∈ ZZp
(5)
because the degree of the minimal polynomial of θ over IF is d + 1. (p)
(p)
For i = 1, . . . , r−1, each element ξi θ can be expressed as hi (θ), where hi (Xr ) ∈ ZZp [Xr ]. Applying the Chinese Remainder Theorem to the diﬀerent polynomials (p) hi (Xr ) for each prime pM , we ﬁnd the corresponding hi (Xr ). By construction, (p) (p) f (p) (a1 + h1 (Xr ), . . . , ar−1 + hr−1 (Xr ), Xr ) is not the zero polynomial by (5) for any integer values a1 , . . . , ar−1 . Now, we proceed to deﬁne a family of polynomials depending on g1 (X),. . . ,gr (X) which will be the main subject of the article. Let IK be a ﬁeld. We denote by T as the set of polynomials, f , such that s−1 j=0 aj (fk+j (X) − fl+j (X)) is nonconstant, where fi (X) are deﬁned by (2) and aj ∈ IK, with at least one aj = 0 and k = l. Here is a suﬃcient condition for a certain polynomial to be in class T . To prove the result, we need some background. We start deﬁning a homomorphism of polynomial rings φ : IK[X1 , . . . , Xr ] → IK[X1 , . . . , Xr ] with φ(Xi ) = gi (X). Polynomials g1 (X), . . . , gr (X) are said to be algebraically independent if the application φ is injective. φk denotes the composition of the function φ k times with φ0 being the identity map. Lemma 2. Let f (X) be a polynomial in IK[X] and g1 (X), . . . , gr (X) be algebraically independent and IF be an extension ﬁeld of IK. Suppose that there exists (b1 , . . . , br ), (c1 , . . . , cr ) ∈ IFr two diﬀerent zeros of the polynomials g1 (X), . . . , gr (X) with f (c1 , . . . , cr ) = f (b1 , . . . , br ), then f ∈ T . Proof. s−1 Suppose that k > l, and exist a0 , . . . , as−1 ∈ IK with a0 = 0 satisfying; j=0 aj (fk+j (X) − fl+j (X)) = K, where K ∈ IK. Then s−1
aj (fk+j (X) − fl+j (X)) = φk−1
s−1 j=0
aj (f1+j (X) − f1−k+l+j (X))
j=0
s−1 and this implies K = j=0 aj ((f1+j (X)) − (f1−k+l+j (X))) because φ is an injective map. By equation (2), we notice that for k = 0, we have that fk (b1 , . . . , br ) = fk−1 (0, . . . , 0) = fk (c1 , . . . , cr ), so substituting in the equation both points and subtracting the result, we get that a0 = 0. The last remark in this section is that conditions in this criterion can be tested using Groebner basis.
198
1.2
E.D. ElMahassni and D. Gomez
Exponential Sums and Previous Results
We start by listing some previous bounds on exponential sums which will be used to establish our main results. The ﬁrst Lemma is the wellknown HuaLoo Keng bound in a form which is a relaxation of the main result of [11] (see also Section 3 of [3] and Lemma 2.2 in [6]), followed by its multidimensional version. Lemma 3. For any polynomial f (X) = bd X d + . . . + b1 X + b0 ∈ ZZM [X] of degree d ≥ 1, there is a constant c0 > 0 where the bound eM (f (x)) < ec0 d M 1−1/d G1/d x∈ZZM
holds, where G = gcd(bd , . . . , b1 , M ). Lemma 4. Let f (X), with total degree d ≥ 2 and degree greater than one in Xr , be a polynomial with integer coeﬃcients, with G = 1. Then the bound 2 2 eM (f (x1 , . . . , xr )) ≤ ec0 d (log d+1) M r−1/(d (log d+1)) x1 ,...,xr ∈ZZM holds, where c0 is some positive constant. Proof. We recall the univariate case that appears as Lemma 3. Then let g(X) = f (X1 + h1 (Xr ), X2 + h2 (Xr ), . . . , Xr ) where hi (Xr ) are the polynomials deﬁned in Equation (3). It is easy to see that eM (g(x1 , x2 . . . , xr )) . eM (f (x1 , x2 . . . , xr )) = where the summations are taken over x1 , x2 . . . , xr ∈ ZZM since (x1 , . . . , xr ) → (x1 + h1 (xr ), x2 + h2 (xr ), . . . , xr ) merely permutates the points. By Lemma 1, for any selection x1 , . . . , xr−1 this polynomial is not constant modulo p and the gcd of the coeﬃcients of g and M are coprime. Hence, applying Lemma 3, we have e (g(x , x . . . , x )) M 1 2 r x1 ,x2 ...,xr ∈ZZM ≤ eM (g(x1 , x2 . . . , xr )) x1 ,...,xr−1 ∈ZZM xr ∈ZZM
≤ ec0 d
2
(log d+1)
M r−1/d
2
(log d+1)
.
We obtain the last step by noting that the degree of g in Xr can be bounded by d2 (log d + 1) and so we are done.
On the Distribution of Nonlinear Congruential Pseudorandom Numbers
199
This now allows us to state and prove the following Lemma. Lemma 5. Let f (X) be a polynomial with integer coeﬃcients with degXr f ≥ 1 and total degree d. Recalling the deﬁnition of G, ≤ ec0 d2 (log d+1) M r (G/M )1/d2 (log d+1) e (f (x , . . . , x )) M 1 r x1 ...,xr ∈ZZM Proof. We let fG (x1 , . . . , xr ) = (f (x1 , . . . , xr ) − f (0))/G and m = M/G. Then, = e (f (x , . . . , x )) e (f (x , . . . , x ) − f (0)) M 1 r M 1 r x1 ,...,xr ∈ZZM x1 ,...,xr ∈ZZM = Gr em (fG (x1 , . . . , xr )) x1 ,...,xr ∈ZZm Now fG (x1 , . . . , xr ) satisﬁes the conditions in Lemma 4, so: 2 2 r G em (fG (x1 , . . . , xr )) ≤ Gr ec0 d (log d+1) (m)r−1/d (log d+1) x1 ,...,xr ∈ZZm and so the result follows. Lastly, we will make use of the following lemma, which is essentially the multidimensional version of Lemma 2.3 of [6]. Lemma 6. Let f (X) ∈ ZZM [X] be a polynomial such that f (p) ∈ T for every pM and let s−1
aj (fk+j (X) − fl+j (X)) =
j=0
d1 i1 =0
...
dr
bi1 ,...,ir X1i1 . . . Xrir ,
ir =0
where k = l. Recalling the deﬁnition of G, the following equality G = gcd(a0 , . . . , as−1 , M ) holds. Proof. We put Aj = aj /G and m = M/G, j = 0, . . . , s − 1. In particular, gcd(A0 , . . . , As−1 , m) = 1. It is enough to show that the polynomial H(X) =
s−1
Aj (fk+j (X) − fl+j (X))
j=0
is nonconstant modulo any prime pm, for k = l.
(6)
200
E.D. ElMahassni and D. Gomez
By deﬁnition, we have H (p) (X) ≡
s−1
(p) (p) Aj fk+j (X) − fl+j (X)
(mod p)
j=0
and H (p) (X) can not be a constant polynomial, since f (p) ∈ T and so we are done. 1.3
Discrepancy
For a sequence of N points −1 Γ = (γ0,n , . . . , γs−1,n )N n=0
(7)
of the halfopen interval [0, 1)s , denote by ΔΓ its discrepancy, that is, TΓ (B) − B , ΔΓ = sup N B⊆[0,1)s where TΓ (B) is the number of points of the sequence Γ which hit the box B = [α0 , β0 ) × . . . × [αs−1 , βs−1 ) ⊆ [0, 1)s and the supremum is taken over all such boxes. For an integer vector a = (a0 , . . . , as−1 ) ∈ ZZs we put a =
max
i=0,...,s−1
ai ,
r(a) =
s−1
max{ai , 1}.
(8)
i=0
We need the Erd¨ os–Tur´ an–Koksma inequality (see Theorem 1.21 of [4]) for the discrepancy of a sequence of points of the sdimensional unit cube, which we present in the following form. Lemma 7. There exists a constant Cs > 0 depending only on the dimension s such that, for any integer L ≥ 1, for the discrepancy of a sequence of points (7) the bound ⎛ ⎛ ⎞⎞ N −1 s−1 1 1 1 ⎝ ⎝ ⎠ ΔΓ < Cs + exp 2πi aj γj,n ⎠ L N r(a) n=0 j=0 0<a≤L holds, where a, r(a) are deﬁned by (8) and the sum is taken over all integer vectors a = (a0 , . . . , as−1 ) ∈ ZZs with 0 < a ≤ L. The currently best value of Cs is given in [2].
On the Distribution of Nonlinear Congruential Pseudorandom Numbers
2
201
Discrepancy Bound
Let the sequence (un ) generated by (1) be purely periodic with an arbitrary period t. For an integer vector a = (a0 , . . . , as−1 ) ∈ ZZs we introduce the exponential sum ⎛ ⎞ N −1 s−1 Sa (N ) = eM ⎝ aj un+j ⎠ . n=0
j=0
Theorem 1. Let the sequence (un ), given by (1) with a polynomial f (p) (X) ∈ T , for every prime divisor p of M , with total degree d and degXr f ≥ 1, be purely periodic with period t and t ≥ N ≥ 1. The bound Sa (N ) = O N 1/2 M r/2 (log log(M/G))−1/2 max gcd(a0 ,...,as−1 ,M)=G
holds, where G = gcd(a0 , . . . , as−1 , M ) and the implied constant depends only on s and d. Proof. The proof follows a strategy ﬁrst seen in [9]. Select any a = (a0 , . . . , as−1 ) ∈ ZZs with gcd(a0 , . . . , as−1 , M ) = G. It is obvious that for any integer k ≥ 0 we have ⎛ ⎞ N −1 s−1 Sa (N ) − ⎝ ⎠ eM aj un+k+j ≤ 2k. n=0 j=0 Therefore, for any integer K ≥ 1, KSa (N ) ≤ W + K 2 , where
⎛ ⎞ ⎛ ⎞ N N s−1 −1 K−1 s−1 −1 K−1 ⎝ ⎠ ⎝ ⎠ W = eM aj un+k+j ≤ eM aj un+k+j . n=0 k=0 n=0 k=0 j=0 j=0
Accordingly, letting x = x1 , . . . , xr , we obtain ⎛ ⎞2 N −1 K−1 s−1 2 ⎝ ⎠ eM aj fk+j (un , . . . , un−r+1 ) W ≤N n=0 k=0 j=0 ⎛ ⎞2 s−1 K−1 ⎝ ⎠ ≤N e a f (x) M j k+j j=0 x∈ZZrM k=0 ⎛ ⎞ K−1 s−1 K−1 =N eM ⎝ aj (fk+j (x) − fl+j (x))⎠ . k=0 l=0 x∈ZZrM
j=0
202
E.D. ElMahassni and D. Gomez
If k = l, then the inner sum trivially equal to M r . There are K such sums. is s−1 Otherwise the polynomial j=0 aj (fk+j (X) − fl+j (X)) is nonconstant since f (p) ∈ T . Hence we can apply Lemma 5 and Lemma 6 (so that we only need consider aj , j = 0, . . . , s − 1, instead of the coeﬃcients of f ) to the inner sum, obtaining the upper bound ec0 d
3(K+s−2)
M r−1/d
3(K+s−2)
G1/d
3(K+s−2)
for at most K 2 sums and positive constant c0 and noting that d2 (log d + 1) < d3 . Hence, W 2 ≤ KN M r + K 2 N ec0 d
3(K+s−2)
M r−1/d
3(K+s−2)
G1/d
3(K+s−2)
.
Now, without too much loss of generality we may assume (d + 1)3(K+s−2) ≥ 2. Next we put K = log log(M/G)/(3c log(d + 1)), for some c > 2 to guarantee that the ﬁrst term dominates and the result follows. Next, let Ds (N ) denote the discrepancy of the points given by u un+s−1 n ,..., , n = 0, . . . , N − 1, M M in the sdimensional unit cube [0, 1)s . Theorem 2. If the sequence (un ), given by (1) with a polynomial f (p) (X) ∈ T , for every prime divisor p of M , with total degree d and degXr f ≥ 1 is purely periodic with period t with t ≥ N ≥ 1, then the bound Ds (N ) = O N −1/2 M r/2 (log log log M )s /(log log M )1/2 holds, where the implied constant depends only on s and d. Proof. The statement follows from Lemma 7, taken with
L = N 1/2 M −r/2 (log log M )1/2 and the bound of Theorem 1, where all occurring G = gcd(a0 , . . . , as−1 , M ) are at most L.
References 1. Arkhipov, G.I., Chubarikov, V.N., Karatsuba, A.A.: Trigonometric Sums in Number Theory and Analysis, de Gruyter Expositions in Mathematics, Berlin, vol. 39 (2004) 2. Cochrane, T.: Trigonometric approximation and uniform distribution modulo 1. Proc. Amer. Math. Soc. 103, 695–702 (1988) 3. Cochrane, T., Zheng, Z.Y.: A Survey on Pure and Mixed Exponential Sums Modulo Prime Numbers. Proc. Illinois Millenial Conf. on Number Theory 1, 271–300 (2002)
On the Distribution of Nonlinear Congruential Pseudorandom Numbers
203
4. Drmota, M., Tichy, R.F.: Sequences, discrepancies and applications. Springer, Berlin (1997) 5. ElMahassni, E.D., Shparlinski, I.E., Winterhof, A.: Distribution of nonlinear congruential pseudorandom numbers for almost squarefree integers. Monatsh. Math. 148, 297–307 (2006) 6. ElMahassni, E.D., Winterhof, A.: On the distribution of nonlinear congruential pseudorandom numbers in residue rings. Intern. J. Number Th. 2(1), 163–168 (2006) 7. Griﬃn, F., Niederreiter, H., Shparlinski, I.: On the distribution of nonlinear recursive congruential pseudorandom numbers of higher orders. In: Fossorier, M.P.C., Imai, H., Lin, S., Poli, A. (eds.) AAECC 1999. LNCS, vol. 1719, pp. 87–93. Springer, Heidelberg (1999) 8. Gutierrez, J., GomezPerez, D.: Iterations of multivariate polynomials and discrepancy of pseudorandom numbers. In: Bozta, S., Sphparlinski, I. (eds.) AAECC 2001. LNCS, vol. 2227, pp. 192–199. Springer, Heidelberg (2001) 9. Niederreiter, H., Shparlinski, I.E.: On the distribution and lattice structure of nonlinear congruential pseudorandom numbers. Finite Fields and Their Appl. 5, 246– 253 (1999) 10. Niederreiter, H., Shparlinski, I.E.: Exponential sums and the distribution of inversive congruential pseudorandom numbers with primepower modulus. Acta Arith. 92, 89–98 (2000) 11. Steˇckin, S.B.: An estimate of a complete rational exponential sum. Trudy Mat. Inst. Steklov. 143, 188–207 (1977) (in Russian)
Rooted Trees Searching for Cocyclic Hadamard Matrices over D4t ´ ´ V´ıctor Alvarez, Jos´e Andr´ es Armario, Mar´ıa Dolores Frau, F´elix Gudiel, and Amparo Osuna Dpto. Matem´ atica Aplicada 1, E.T.S.I.Inform´ atica, Avda. Reina Mercedes s/n, 41012 Sevilla, Spain
Abstract. A new reduction on the size of the search space for cocyclic Hadamard matrices over dihedral groups D4t is described, in terms of the so called central distribution. This new search space adopt the form of a forest consisting of two rooted trees (the vertices representing subsets of coboundaries) which contains all cocyclic Hadamard matrices satisfying the constraining condition. Experimental calculations indicate that the ratio between the number of constrained cocyclic Hadamard matrices and the size of the constrained search space is greater than the usual ratio. Keywords: Hadamard matrix, cocyclic matrix, dihedral groups.
1
Introduction
Since Hadamard matrices (that is, {1, −1}square matrices whose rows are pairwise orthogonal) were introduced at the end of the XIXth century, the interest in their construction has grown substantially, because of their multiple applications (see [7] for instance). For this reason, many attempts and eﬀorts have been devoted to the design of good construction procedures, the latest involving heuristic techniques (see [5], [1], [4] for instance). Even alternative theoretical descriptions characterizing Hadamard matrices have been proposed (for instance, Ito’s works involving Hadamard graphs [11] in the middle eighties, and Hadamard groups [6,12] more recently). But no matter what one may think, Hadamard matrices keep on being elusive anyway. The point is that though it may be easily checked that the size of a Hadamard matrix is to be 2 or a multiple of 4, there is no certainty whether such a Hadamard matrix exists for every size 4t. This is the Hadamard conjecture, which remains unsolved for more than a century. In fact, the design of a procedure which outputs a Hadamard matrix of the desired size has shown to be as important as solving the Hadamard conjecture itself.
All authors are partially supported by the research projects FQM–296 and P07FQM02980 from Junta de Andaluc´ıa and MTM200806578 from Ministerio de Ciencia e Innovaci´ on (Spain).
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 204–214, 2009. c SpringerVerlag Berlin Heidelberg 2009
Rooted Trees Searching for Cocyclic Hadamard Matrices over D4t
205
In the early 90s, a surprising link between homological algebra and Hadamard matrices [9] led to the study of cocyclic Hadamard matrices [10]. The main advantages of the cocyclic framework are that: – On one hand, the Hadamard test for cocyclic matrices [10] runs in O(t2 ) time, better than the O(t3 ) algorithm for usual (not necessarily cocyclic) Hadamard matrices. – On the other hand, the search space reduces drastically, though it still is often of exponential size (see [4,2] for details). Among the groups for which cocyclic Hadamard matrices have been found, it seems that dihedral groups D4t are more likely to give a more density of cocyclic Hadamard matrices, even for every order multiple of 4 (see [8,3,2] for instance). Unfortunately, the task of explicitly construct cocyclic Hadamard matrices over D4t is considerably diﬃcult, since the search space inherits a exponential size. New ideas dealing with this problem are welcome. The purpose of this paper is to describe a new reduction on the size of the search space for cocyclic Hadamard matrices over dihedral groups D4t . The key idea is exploiting the notions of ipaths and intersections introduced in [2], in order to design a forest consisting of two rooted trees (the vertices representing subsets of coboundaries) which contains all cocyclic Hadamard matrices satisfying the so called central distribution. We will explain these notions in the following section. We organize the paper as follows. Section 2 is devoted to preliminaries on cocyclic matrices. Section 3 describes the new search space for cocyclic Hadamard matrices over D4t . We include some ﬁnal remarks and comments.
2
Preliminaries on Cocyclic Matrices
Consider a multiplicative group G = {g1 = 1, g2 , . . . , g4t }, not necessarily abelian. A cocyclic matrix Mf over G consists in a binary matrix Mf = (f (gi , gj )) coming from a 2cocycle f over G, that is, a map f : G × G → {1, −1} such that f (gi , gj )f (gi gj , gk ) = f (gj , gk )f (gi , gj gk ),
∀ gi , gj , gk ∈ G.
We will only use normalized cocycles f (and hence normalized cocyclic matrices Mf ), so that f (1, gj ) = f (gi , 1) = 1 for all gi , gj ∈ G (and correspondingly Mf = (f (gi , gj )) consists of a ﬁrst row and column all of 1s). A basis B for 2cocycles over G consists of some representative 2cocycles (coming from inﬂation and transgression) and some elementary 2coboundaries ∂i , so that every cocyclic matrix admits a unique representation as a Hadamard (pointwise) product M = M∂i1 . . . M∂iw · R, in terms of some coboundary matrices M∂ij and a matrix R formed from representative cocycles. Recall that every elementary coboundary ∂d is constructed from the characteristic set map δd : G → {±1} associated to an element gd ∈ G, so that −1 gd = gi for δd (gi ) = (1) ∂d (gi , gj ) = δd (gi )δd (gj )δd (gi gj ) 1 gd = gi
206
´ V. Alvarez et al.
Although the elementary coboundaries generate the set of all coboundaries, they might not be linearly independent (see [3] for details). Moreover, since the elementary coboundary ∂g1 related to the identity element in G is not normalized, / B. we may assume that ∂g1 ∈ The cocyclic Hadamard test asserts that a cocyclic matrix is Hadamard if and only if the summation of each row (but the ﬁrst) is zero [10]. In what follows, the rows whose summation is zero are termed Hadamard rows. This way, a cocyclic matrix Mf is Hadamard if and only if every row (Mf )i is a Hadamard row, 2 ≤ i ≤ 4t. In [2] the Hadamard character of a cocyclic matrix is described in an equivalent way, in terms of generalized coboundary matrices, iwalks and intersections. We reproduce now these notions. ¯ ∂j related to a elementary coboundary The generalized coboundary matrix M th ∂j consists in negating the j row of the matrix M∂j . Note that negating a row of a matrix does not change its Hadamard character. As it is pointed out in [2], ¯ ∂j contains exactly two negative entries every generalized coboundary matrix M in each row s = 1, which are located at positions (s, i) and (s, e), for ge = gs−1 gi . We will work with generalized coboundary matrices from now on. ¯ ∂i : 1 ≤ j ≤ w} of generalized coboundary matrices deﬁnes an A set {M j ¯ l1 , . . . , M ¯ lw ) so that iwalk if these matrices may be ordered in a sequence (M th consecutive matrices share exactly one negative entry at the i row. Such a walk is called an ipath if the initial and ﬁnal matrices do not share a common −1, and an icycle otherwise. As it is pointed out in [2], every set of generalized coboundary matrices may be uniquely partitioned into disjoint maximal iwalks. From the deﬁnition above, it is clear that every maximal ipath contributes two negative occurrences at the ith row. This way, a characterization of Hadamard rows (consequently, of Hadamard matrices) may be easily described in terms of ipaths. Proposition 1. [2] The ith row of a cocyclic matrix M = M∂i1 . . . M∂iw · R is Hadamard if and only if 2ci − 2Ii = 2t − ri
(2)
¯ ∂i , . . . , M ¯ ∂i }, ri counts where ci denotes the number of maximal ipaths in {M w 1 th the number of −1s in the i row of R and Ii indicates the number of positions ¯ ∂i . . . M ¯ ∂i share a common −1 in their ith row. in which R and M w 1 ¯ ∂i . . . M ¯ ∂i share From now on, we will refer to the positions in which R and M w 1 a common −1 in a given row simply as intersections, for brevity. We will now focus on the case of dihedral groups.
3
Cocyclic Matrices over D4t
Denote by D4t the dihedral group ZZ 2t ×χ ZZ 2 of order 4t, t ≥ 1, given by the presentation < a, ba2t = b2 = (ab)2 = 1 >
Rooted Trees Searching for Cocyclic Hadamard Matrices over D4t
207
and ordering {1 = (0, 0), a = (1, 0), . . . , a2t−1 = (2t − 1, 0), b = (0, 1), . . . , a2t−1 b = (2t − 1, 1)} In [6] a representative 2cocycle f of [f ] ∈ H 2 (D4t , ZZ 2 ) ∼ = ZZ 32 is written interchangeably as a triple (A, B, K), where A and B are the inﬂation variables and K is the transgression variable. All variables take values ±1. Explicitly, ij ij k A , i + j < 2t, A B , i ≥ j, i j k i j k f (a b, a b ) = f (a , a b ) = Aij K, i + j ≥ 2t, Aij B k K, i < j, Let β1 , β2 and γ denote the representative 2cocycles related to (A, B, K) = (−1, 1, 1), (1, −1, 1), (1, 1, −1) respectively. A basis for 2coboundaries is described in [2], and consists of the elementary coboundaries {∂a , . . . , ∂a2t−3 b }. This way, a basis for 2cocycles over D4t is given by B = {∂a , . . . , ∂a2t−3 b , β1 , β2 , γ}. Computational results in [6,2] suggest that the case (A, B, K) = (1, −1, −1) contains a large density of cocyclic Hadamard matrices. Furthermore, as it is pointed out in Theorem 2 of [2], cocyclic matrices over D4t using R = β2 γ are Hadamard matrices if and only if rows from 2 to t are Hadamard, so that the cocyclic test runs four times usual. faster than A A for From now on, we assume that R = Mβ2 · Mγ = B −B ⎞ ⎛ ⎛ ⎞ 1 −1 · · · −1 1 1 ··· 1 ⎜ .. . . . . .⎟ · ⎜1 ⎜ . . . .. ⎟ · · −1 ⎟ ⎜ ⎟ ⎟ ⎜ (3) A=⎜. . ⎟ and B = ⎜ ⎟ .. ⎝ .. · ·· · ·· .. ⎠ ⎝1 . −1 ⎠ 1 −1 · · · −1 1 1 ··· 1 Now we would like to know how the 2coboundaries in B have to be combined to form ipaths, 2 ≤ i ≤ t. This information is given in Proposition 7 of [2]. Proposition 2. [2] For 1 ≤ i ≤ 2t, a maximal iwalk consists of a maximal subset in (M∂1 , . . . , M∂2t ) or (M∂2t+1 , . . . , M∂4t ) formed from matrices (. . . , Mj , Mk , . . .) which are cyclically separated in i − 1 positions (that is j ± (i − 1) ≡ k mod 2t). Notice that since ri = 2(i − 1) for 2 ≤ i ≤ t, the cocyclic Hadamard test reduces to check whether ci − Ii = t − i + 1, for 2 ≤ i ≤ t. Thus ci uniquely determines Ii and reciprocally, 2 ≤ i ≤ t. In fact, the way in which intersections may be introduced at the ith row is uniquely determined. More explicitly Lemma 1. The following table gives a complete distribution of the coboundaries in B which may create an intersection at a given row. For clarity in the reading, ¯ ∂i simply by i: we note the generalized coboundary M
´ V. Alvarez et al.
208
row coboundaries 2 2t, 2t + 1 3 2, 2t − 1, 2t, 2t + 1, 2t + 2 4 ≤ k ≤ t 2, . . . , k − 1, 2t − k + 2, . . . , 2t + k − 1, 4t − k + 2, . . . , 4t − 2 Proof It may be seen by inspection, taking into account the distribution of the negative occurrences in R and the form of the generalized coboundary matrices.
Lemma 2. In particular, there are some coboundaries which do not produce any intersection at all, at rows 2 ≤ k ≤ t, which we term free intersection coboundaries. More concretely, t coboundaries 2 2, 3, 6 t > 2 t, t + 1, 3t, 3t + 1 Proof It suﬃces to take the set diﬀerence between B and the set of coboundaries used in the lemma above.
Lemma 3. Furthermore, the following table distributes the coboundaries which produce a intersection at every row, so that coboundaries which produce the same negative occurrence at a row are displayed vertically in the same column. row 2 3 4 ≤ k ≤ t
2t1 2tk+2
2t − k + 3 2
... ...
2t − 1 k−2
Proof It may be seen by inspection.
2t 2t 2
coboundaries 2t + 1 2t + 1
2t
2t + 1
k1
4tk+2
2t+2 2t + 2 4t − k + 1
... ...
2t + k − 3 4t − 2
2t + k − 2
2t+k1
Remark 1. Notice that: – The set of coboundaries which may produce an intersection at the ith row is included in the analog set corresponding to the (i + 1)th row. – The boxed coboundaries do not produce any intersection at the precedent rows. Now one could ask whether cocyclic Hadamard matrices exist for any formal distribution of pairs (ci , Ii ) satisfying the relations ci −Ii = t−i+1, for 2 ≤ i ≤ t. Actually, this is not the case. Proposition 3. Not all of the formal sequences [(c2 , I2 ), . . . , (ct , It )] satisfying ci − Ii = t − i + 1 give rise to cocyclic Hadamard matrices over D4t , for t ≥ 3.
Rooted Trees Searching for Cocyclic Hadamard Matrices over D4t
209
Proof Proposition 10 of [2] bounds the number w of coboundaries in B to multiply with R so that a cocyclic Hadamard matrix is formed, so that t − 1 ≤ w ≤ 3t + 2. In particular, for t ≥ 6, we know that 5 ≤ w. Consequently, the case I2 = . . . = It = 0 is not feasible, since from Lemma 2 we know that only up to 4 coboundaries may be combined so that no intersection is generated at any row. This proves the Lemma for t ≥ 6. We now study the remaining cases. Taking into account that 0 ≤ Ii ≤ ri = 2i − 2, we may have a look in the way in which cocyclic Hadamard matrices are distributed regarding the number of intersections Ii , for those groups D4t for which the whole set of cocyclic Hadamard matrices have been computed until now. These are precisely t = 2, 3, 4, 5. For t = 2, we formally have 3 solutions for the equation c2 − I2 = 1, c2 1 2 3 I2 0 1 2 Each of these solutions gives rise to some cocyclic Hadamard matrices Mf , I2 0 1 2 Mf  4 10 2
c2 − I2 = 2 coming c3 − I3 = 1 from the combination of any solution of each of the equations For t = 3, we formally have 15 solutions for the system
c2 2 3 4 I2 0 1 2
c3 1 2 3 4 5 I3 0 1 2 3 4
Only 9 of the 15 hypothetical solutions are real solutions (there are no combinations of coboundaries meeting the other 6 “theoretical” solutions), distributed in the following way: (I2 , I3 ) (0, 1) (0, 2) (0, 3) (1, 1) (1, 2) (1, 3) (2, 1) (2, 2) (2, 3) Mf  6 10 2 8 20 8 2 10 6 ⎧ ⎨ c2 − I2 = 3 For t = 4, we formally have 105 solutions for the system c3 − I3 = 2 coming ⎩ c4 − I4 = 1 from the combination of any solution of each of the equations c2 3 4 5 I2 0 1 2
c3 2 3 4 5 6 I3 0 1 2 3 4
c4 1 2 3 4 5 6 7 I4 0 1 2 3 4 5 6
Only 36 of the 105 hypothetical solutions are real solutions, distributed in the following way:
210
´ V. Alvarez et al.
(I2 , I3 , I4 ) (0, 0, 2) (0, 1, 1) (0, 1, 2) (0, 1, 3) (0, 1, 4) (0, 2, 2) (0, 2, 3) (0, 2, 4) (0, 2, 5) Mf  8 6 18 18 6 12 12 24 12 (I2 , I3 , I4 ) (0, 3, 3) (0, 3, 4) (1, 0, 3) (1, 1, 1) (1, 1, 2) (1, 1, 3) (1, 1, 4) (1, 1, 5) (1, 2, 1) Mf  4 8 12 18 12 8 4 6 4 (I2 , I3 , I4 ) (1, 2, 2) (1, 2, 3) (1, 2, 4) (1, 2, 5) (1, 3, 2) (1, 3, 3) (1, 3, 4) (1, 4, 3) (2, 1, 2) Mf  24 72 24 4 12 32 20 20 2 (I2 , I3 , I4 ) (2, 2, 1) (2, 2, 2) (2, 2, 3) (2, 2, 4) (2, 3, 2) (2, 3, 3) (2, 1, 3) (2, 1, 4) (2, 1, 5) Mf  6 6 2 12 24 12 12 24 12
⎧ c2 − I2 ⎪ ⎪ ⎨ c3 − I3 For t = 5, we formally have 945 solutions for the system c4 − I4 ⎪ ⎪ ⎩ c5 − I5 from the combination of any solution of each of the equations c2 4 5 6 I2 0 1 2
c3 3 4 5 6 7 I3 0 1 2 3 4
c4 2 3 4 5 6 7 8 I4 0 1 2 3 4 5 6
=4 =3 coming =2 =1
c5 1 2 3 4 5 6 7 8 9 I4 0 1 2 3 4 5 6 7 8
Only 153 of the 945 hypothetical solutions are real solutions, (I2 , I3 , I4 , I5 ) (0, 0, 1, 3) (0, 0, 2, 3) (0, 1, 1, 4) (0, 1, 2, 2) (0, 1, 2, 3) (0, 1, 2, 4) Mf  4 12 3 6 12 21 (I2 , I3 , I4 , I5 ) (0, 1, 2, 5) (0, 1, 3, 2) (0, 1, 3, 3) (0, 1, 3, 4) (0, 1, 3, 5) (0, 1, 3, 6) Mf  6 6 12 21 21 9 (I2 , I3 , I4 , I5 ) (0, 1, 3, 7) (0, 1, 4, 3) (0, 1, 4, 4) (0, 1, 4, 5) (0, 1, 4, 6) (0, 1, 4, 7) Mf  3 6 3 9 18 6 (I2 , I3 , I4 , I5 ) (0, 2, 0, 2) (0, 2, 1, 2) (0, 2, 1, 3) (0, 2, 1, 4) (0, 2, 2, 2) (0, 2, 2, 3) Mf  2 4 2 2 4 12 (I2 , I3 , I4 , I5 ) (0, 2, 2, 4) (0, 2, 3, 2) (0, 2, 3, 3) (0, 2, 3, 4) (0, 2, 3, 5) (0, 2, 3, 6) Mf  4 8 8 24 14 2 (I2 , I3 , I4 , I5 ) (0, 2, 4, 4) (0, 2, 4, 5) (0, 2, 4, 6) (0, 2, 5, 4) (0, 3, 2, 5) (0, 3, 3, 2) Mf  12 26 4 4 2 2 (I2 , I3 , I4 , I5 ) (0, 3, 3, 3) (0, 3, 3, 4) (0, 3, 3, 5) (0, 3, 4, 2) (0, 3, 4, 3) (0, 3, 4, 4) Mf  7 6 6 1 4 5 (I2 , I3 , I4 , I5 ) (0, 3, 4, 5) (0, 3, 5, 4) (1, 0, 1, 4) (1, 0, 2, 2) (1, 0, 2, 3) (1, 0, 2, 4) Mf  6 1 2 4 2 4 (I2 , I3 , I4 , I5 ) (1, 0, 4, 2) (1, 0, 4, 3) (1, 0, 4, 4) (1, 0, 5, 4) (1, 1, 1, 3) (1, 1, 1, 4) Mf  4 2 4 2 6 3 (I2 , I3 , I4 , I5 ) (1, 1, 2, 3) (1, 1, 2, 4) (1, 1, 2, 5) (1, 1, 2, 6) (1, 1, 3, 2) (1, 1, 3, 3) Mf  7 14 22 8 4 16 (I2 , I3 , I4 , I5 ) (1, 1, 3, 4) (1, 1, 3, 5) (1, 1, 3, 6) (1, 1, 3, 7) (1, 1, 4, 3) (1, 1, 4, 4) Mf  20 8 16 16 5 10 (I2 , I3 , I4 , I5 ) (1, 1, 4, 5) (1, 1, 4, 6) (1, 1, 5, 3) (1, 1, 5, 4) (1, 2, 1, 3) (1, 2, 1, 4) Mf  18 8 2 1 4 8
Rooted Trees Searching for Cocyclic Hadamard Matrices over D4t
211
(I2 , I3 , I4 , I5 ) (1, 2, 2, 2) (1, 2, 2, 3) (1, 2, 2, 4) (1, 2, 2, 5) (1, 2, 3, 2) (1, 2, 3, 3) Mf  4 16 28 16 24 20 (I2 , I3 , I4 , I5 ) (1, 2, 3, 4) (1, 2, 3, 5) (1, 2, 4, 2) (1, 2, 4, 3) (1, 2, 4, 4) (1, 2, 4, 5) Mf  32 56 4 12 24 24 (I2 , I3 , I4 , I5 ) (1, 2, 5, 4) (1, 3, 1, 2) (1, 3, 1, 3) (1, 3, 1, 4) (1, 3, 2, 2) (1, 3, 2, 3) Mf  8 1 3 2 8 16 (I2 , I3 , I4 , I5 ) (1, 3, 2, 4) (1, 3, 2, 5) (1, 3, 3, 3) (1, 3, 3, 4) (1, 3, 3, 5) (1, 3, 4, 2) Mf  10 6 24 32 16 8 (I2 , I3 , I4 , I5 ) (1, 3, 4, 3) (1, 3, 4, 4) (1, 3, 4, 5) (1, 3, 5, 2) (1, 3, 5, 3) (1, 3, 5, 4) Mf  16 22 10 3 9 6 (I2 , I3 , I4 , I5 ) (1, 4, 1, 3) (1, 4, 2, 3) (1, 4, 2, 4) (1, 4, 3, 3) (1, 4, 3, 4) (1, 4, 4, 3) Mf  2 6 6 16 8 6 (I2 , I3 , I4 , I5 ) (1, 4, 4, 4) (1, 4, 5, 3) (2, 1, 2, 3) (2, 1, 2, 4) (2, 1, 2, 5) (2, 1, 2, 6) Mf  6 2 2 1 3 6 (I2 , I3 , I4 , I5 ) (2, 1, 2, 7) (2, 1, 3, 2) (2, 1, 3, 3) (2, 1, 3, 4) (2, 1, 3, 5) (2, 1, 3, 6) Mf  2 2 4 7 7 3 (I2 , I3 , I4 , I5 ) (2, 1, 3, 7) (2, 1, 4, 2) (2, 1, 4, 3) (2, 1, 4, 4) (2, 1, 4, 5) (2, 1, 5, 4) Mf  1 2 4 7 2 1 (I2 , I3 , I4 , I5 ) (2, 2, 1, 4) (2, 2, 2, 4) (2, 2, 2, 5) (2, 2, 2, 6) (2, 2, 3, 2) (2, 2, 3, 3) Mf  4 12 26 4 8 8 (I2 , I3 , I4 , I5 ) (2, 2, 3, 4) (2, 2, 3, 5) (2, 2, 3, 6) (2, 2, 4, 2) (2, 2, 4, 3) (2, 2, 4, 4) Mf  24 14 2 4 12 4 (I2 , I3 , I4 , I5 ) (2, 2, 5, 2) (2, 2, 5, 3) (2, 2, 5, 4) (2, 2, 6, 2) (2, 3, 1, 4) (2, 3, 2, 2) Mf  4 2 2 2 3 3 (I2 , I3 , I4 , I5 ) (2, 3, 2, 3) (2, 3, 2, 4) (2, 3, 2, 5) (2, 3, 3, 2) (2, 3, 3, 3) (2, 3, 3, 4) Mf  12 15 18 6 21 18 (I2 , I3 , I4 , I5 ) (2, 3, 3, 5) (2, 3, 4, 5) (2, 4, 2, 3) Mf  18 6 12 a Attending to the tables above, we conclude that, for 2 ≤ t ≤ 5, there is
large density of cocyclic Hadamard matrices in the case ci = t for 2 ≤ i ≤ t, that is, (I2 , . . . , It ) = (1, . . . t − 1). We call this case the central distribution for intersections and ipaths on D4t . We include now a table comparing the number central of cocyclic Hadamard Mf  of the amount matrices in the central distribution with the proportion % = cases Mf  of cocyclic Hadamard matrices over D4t by the total number cases of valid distributions of intersections (I2 , . . . , It ). The last column contains the number of cocyclic Hadamard matrices of the most proliﬁc case: t cases Mf  % central 2 3 16 5.33 10 3 9 72 8 20 4 36 512 14.22 72 5 153 1400 9.15 32
best 10 20 72 56
´ V. Alvarez et al.
212
It seems then reasonable trying to constraint the search for cocyclic Hadamard matrices over D4t to the central distribution case. The search space in the central distribution (I2 , . . . , It ) = (1, . . . , t−1) may be represented as a forest of two rooted trees of depth t−1. We identify each level of the tree to the correspondent row of the cocyclic matrix at which intersections are being counted, so that the roots of the trees are located at level 2 (corresponding to the intersections created at the second row of the cocyclic matrix). This way the level i contains those coboundaries which must be added to the father conﬁguration in order to get the desired i − 1 intersections at the ith row, for 2 ≤ i ≤ t. The root of the ﬁrst tree is ∂2t , whereas the root of the second tree is ∂2t+1 , since from Lemma 1 these are the only coboundaries which may give an intersection at the second row. As soon as one of these coboundaries is used, the other one is forbidden, since otherwise a second intersection would be introduced at the second row. Now one must add some coboundaries to get two intersections at the third row. Since ∂2t is already used and ∂2t+1 is forbidden, there are only 3 coboundaries left (those boxed in the table of Lemma 3). Successively, in order to construct the nodes at level k, one must add some of the correspondent boxed coboundaries of the table of Lemma 3, since the remaining coboundaries are either used or forbidden. We include the forests corresponding to the cases t = 2, 3, 4 for clarity.
t
trees Level 2
2 Level 2
4
5
Level 2
6
7
3 Level 3
Level 3 5
(2,5,8)
8
5
8
Level 2
Level 3
2
7
10
(2,7,10)
Level 4
4
6
11
14 (3,6,11) (3,6,14)(3,11,14)
6
11
14 (3,6,11)(3,6,14)(3,11,14)
11
14 (3,6,11)(3,6,14)(3,11,14)
9
Level 2
Level 3
6
2
7
10
Level 4 3
6
11(14,3,6) (14,3,11) (14,6,11)
3
6
11(14,3,6) (14,3,11) (14,6,11)
3
6
11(14,3,6) (14,3,11) (14,6,11)
8
Rooted Trees Searching for Cocyclic Hadamard Matrices over D4t
213
Every branch ending at level t gives a cocyclic matrix meeting the desired distribution of intersections (I2 , . . . , It ). Now one has to check whether any of the 16 possible combinations with the free intersection coboundaries {∂t ,∂t+1 ,∂3t ,∂3t+1 } of Lemma 2 gives rise to a cocyclic Hadamard matrix (that is, to the desired distribution of ipaths, (c2 , . . . , ct ) = (t, . . . , t)). We now give some properties of the trees above. Proposition 4. In the circumstances above, it may be proved that 1. The skeleton (i.e., the branches, forgetting about the indexes of the coboundaries used) of the trees related to D4t are preserved to form the levels from 2 to t corresponding to the trees of D4(t+1) . 2. Among the boxed coboundaries {∂2t−k+2 , ∂k−1 , ∂4t−k+2 , ∂2t+k−1 to be added at level k of the trees, precisely one of them removes an intersection, whereas the remaining three adds one intersection each. 3. At each level, either just one or exactly three boxed coboundaries must be used, there is no other possible choice in order to meet the desired amount of intersections. 4. Consequently, a branch may be extended from level k to level k + 1 if and only if k − hk ∈ {−1, 1, 3}, where hk denotes the number of intersections inherited from level k to level k + 1. 5. Branches ending at levels above level t will never give rise to cocyclic Hadamard matrices meeting the central distribution. This will be more frequent the greater t is. 6. Both trees may have branches ending at level t which may not produce any cocyclic Hadamard matrix at all. This will be more frequent the greater t is. Proof Most of the properties are consequences of the results explained in Lemma 1 through Lemma 3, and are left to the reader. Property 3 comes as a result of a parity condition: there must be an odd number of intersections at odd levels, and an even number of intersections at even levels. Since boxed coboundaries either add an intersection each, or just one of them removes an intersection (added by a coboundary previously used), the parity condition leads to the result. Concerning Property 5, we give a branch not reaching the last level for t = 9: level 2 3 4 5 6 7 8 cob. 18 17 21 4, 22, 33 32 6, 13, 24 12, 25, 30 Concerning Property 6, we give a branch reaching the last level for t = 9, which do not give rise to any cocyclic Hadamard matrix at all: level 2 3 4 5 6 7 8 9 cob. 19 17 21 22 14 6, 24, 31 12, 25, 30 29
So far, it is evident that the above trees reduce the search space for cocyclic Hadamard matrices over D4t , constraining the solutions to the central distribution case.
214
´ V. Alvarez et al.
There is only one question left. Is the new proportion ratioc of cocyclic Hadamard matrices in the central distribution case by the size of the reduced space greater than the proportion ratiog of general cocyclic Hadamad matrices by the size of the general search space? It seems so, attending to the table below (we have followed the calculations of [2] about the size of the general search space in D4t ). t Mf  g. size ratiog 2 16 32 0.5 3 72 492 0.146 4 512 8008 0.063
Mf  central size ratioc 10 16 0.625 20 96 0.208 72 576 0.125
We claim that developing a heuristic search in the forest described above will produce some cocyclic Hadamard matrices over D4t more likely than any other technique applied till now to the general case. This will be the goal of our work in the near future.
References ´ 1. Alvarez, V., Armario, J.A., Frau, M.D., Real, P.: A genetic algorithm for cocyclic Hadamard matrices. In: Fossorier, M.P.C., Imai, H., Lin, S., Poli, A. (eds.) AAECC 2006. LNCS, vol. 3857, pp. 144–153. Springer, Heidelberg (2006) ´ 2. Alvarez, V., Armario, J.A., Frau, M.D., Real, P.: A system of equations for describing cocyclic Hadamard matrices. Journal of Comb. Des. 16(4), 276–290 (2008) ´ 3. Alvarez, V., Armario, J.A., Frau, M.D., Real, P.: The homological reduction method for computing cocyclic Hadamard matrices. J. Symb. Comput. 44, 558–570 (2009) ´ 4. Alvarez, V., Frau, M.D., Osuna, A.: A genetic algorithm with guided reproduction for constructing cocyclic Hadamard matrices. In: ICANNGA 2009 (2009) (sent) 5. Baliga, A., Chua, J.: Selfdual codes using image resoration techniques. In: Bozta, S., Sphparlinski, I. (eds.) AAECC 2001. LNCS, vol. 2227, pp. 46–56. Springer, Heidelberg (2001) 6. Flannery, D.L.: Cocyclic Hadamard matrices and Hadamard groups are equivalent. J. Algebra 192, 749–779 (1997) 7. Hedayat, A., Wallis, W.D.: Hadamard Matrices and Their Applications. Ann. Stat. 6, 1184–1238 (1978) 8. Horadam, K.J.: Hadamard matrices and their applications. Princeton University Press, Princeton (2006) 9. Horadam, K.J., de Launey, W.: Cocyclic development of designs. J. Algebraic Combin. 2(3), 267–290 (1993); Erratum: J. Algebraic Combin. 3(1), 129 (1994) 10. Horadam, K.J., de Launey, W.: Generation of cocyclic Hadamard matrices. In: Computational algebra and number theory, pp. 279–290. Math. Appl., Kluwer Acad. Publ, Dordrecht (1995) 11. Ito, N.: Hadamard Graphs I. Graphs Combin. 1(1), 57–64 (1985) 12. Ito, N.: On Hadamard Groups. J. Algebra 168, 981–987 (1994)
Interesting Examples on Maximal Irreducible Goppa Codes Marta Giorgetti Dipartimento di Fisica e Matematica, Universita’ dell’Insubria
Abstract. A full categorization of irreducible classical Goppa codes of degree 4 and length 9 is given: it is an interesting example in the context of ﬁnding an upper bound for the number of Goppa codes which are permutation nonequivalent and irreducible and maximal with ﬁxed parameters q, n and r (Fq is the ﬁeld of the Goppa code, the Goppa polynomial has coeﬃcients in Fqn and its degree is r) using group theory techniques.
1
The Number of Nonequivalent Goppa Codes
Deﬁnition 1. Let g(x) = gi xi ∈ Fqn [x] and let L = {ε1 , ε2 , . . ., εN } denote n a subset of elements of Fq which are not roots of g(x). Then the Goppa code G(L, g) is defined as the set of all vectors c = (c1 , c2 , . . ., cN ) with components in N ci ≡ 0 mod g(x). Fq which satisfy the condition: i=0 x−ε i If L = {ε1 , ε2 , . . ., εN } = Fqn the Goppa code is said maximal ; if the degree of g(x) is r, then the Goppa code is called a Goppa code of degree r; if g(x) is irreducible over Fqn the Goppa code is called irreducible . In this case, a
1 1 1 , α−ε , 1 , where parity check matrix for G(L, g) can be Hα = α−ε 2 , . . ., α−εqn−1 α α ∈ Fqnr is a root of g(x) and ε = F∗qn . We denote the Goppa code G(L, g) as C(α) when a parity check matrix of type Hα is considered. It is important to stress that by using parity check matrix Hα to deﬁne G(L, g) we implicitly ﬁx an order in L. We observe that the Goppa code G(L, g) is the subﬁeld subcode of code over Fqnr having as parity check matrix Hα . We denote by Ω = Ω(q, n, r) the set of Goppa codes, with ﬁxed parameters q, n, r, S = S(q, n, r) the set of all elements in Fqnr of degree r over Fqn and P = P(q, n, r) the set of irreducible polynomials of degree r in Fqn [x]. In [4] the action on Ω is obtained by considering an action on S of an ”semiaﬃne” group T = AGL(1, q n )σ in the following way: for α ∈ S and t ∈ T , i αt = aαq + b for some a, b ∈ Fqn , a = 0 and i = 1 . . . nr. The action gives a number of orbits over S which is an upper bound for the number of non equivalent Goppa codes. An important result of [4] is the following: i
Theorem 1. [4] If α, β ∈ S are related as it follows β = ζαq + ξ for some ζ, ξ ∈ Fqn , ζ = 0, i = 1. . .nr, then C(α) is equivalent to C(β). M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 215–218, 2009. c SpringerVerlag Berlin Heidelberg 2009
216
M. Giorgetti
In [2] the action of a group F G isomorphic to AΓ L(1, q n ) on the q n columns of the parity check matrix Hα is considered. We point out that columns of Hα are in bijective correspondence with the elements of Fqn . The group F G induces on Ω the same orbits which arise from the action introduced in [4]. This action does not describe exactly the orbits of permutation non equivalent Goppa codes, since in some cases the number of permutation nonequivalent Goppa codes is less than the number of orbits of T on S. The group F G acts faithfully on the columns of Hα : it can be seen as a subgroup of the symmetric group Sqn . In [2] it has been proved that there exists exactly one maximal subgroup M (isomorphic to AGL(nm, p)) of Sqn (Aqn ) containing F G (q = pm ). This suggests that one could consider the action of M on codes to reach the right bound. From this result one could hope that, when it is not possible to reach the exact number s of permutation nonequivalent Goppa codes by the action of F G, s is obtained by considering the group AGL(nm, p). Unfortunately, this is not always true as it is shown in the next section. The following examples were introduced by Ryan in this PhD thesis [4]. In the next, we thoroughly analyze them, pointing out the group action of AGL(nm, p). Classiﬁcation of Ω(3, 2, 4). Let q = 3, n = 2, r = 4; let ε be a primitive element of F32 with minimal polynomial x2 + 2x + 2; let L = [ε, ε2 , . . . , ε7 , 1, 0]; let P = P(3, 2, 4) be the set of all irreducible polynomials of degree 4 in F9 , P = 1620 and let S = S(3, 2, 4) be the set of all elements of degree 4 over F9 , S = 6480. Let Γ (g, L) be a maximal irreducible Goppa code of length 9 over F3 , g ∈ P. We denote by SS the symmetric group on S. We consider the action of T on S: it gives 13 orbits on S. It means that there are at most 13 classes of maximal irreducible Goppa codes. We choose a representative for each class. Table 1 shows the thirteen classes: for each representative code Γi , we give the corresponding Goppa polynomial gi (x), the code parameters [n, k, d] and the generator matrix M . Table 1. Representatives of the 13 classes obtaining in the action of T over S Γi Γ1 Γ2 Γ3 Γ4 Γ5 Γ6 Γ7 Γ8 Γ9 Γ10 Γ11 Γ12 Γ13
gi (x) x4 + f 3 x3 + f x + f 5 x4 + f 7 x3 + x2 + f 5 x + f 3 x4 + f 5 x + f x4 + f 5 x2 + f 6 x + f 2 x4 + f 7 x2 + f 2 x + f 5 x4 + f x3 + f 5 x2 + f 3 x + f 6 x4 + f 6 x3 + f 2 x2 + 2x + f 5 x4 + 2x3 + 2x2 + 2x + f 7 x4 + f 5 x3 + f 2 x2 + f 3 x4 + 2x3 + f 3 x2 + f 6 , x4 + f x3 + f x2 + f x + f 2 , x4 + f 3 x3 + f 2 x2 + 2x + f 3 , x4 + f 3 x3 + f 5 x2 + x + f 6
[n, k, d] generator matrixM [9, 1, 9] [112212212] [9, 1, 5] [010222010] [9, 1, 9] [122221112] [9, 1, 6] [120101202] [9, 1, 6] [112001011] [9, 1, 7] [001111122] [9, 1, 5] [001220110] [9, 1, 6] [121120200] [9, 1, 6] [010021112] [9, 1, 5] [120201200] [9, 1, 7] [120220221] [9, 1, 6] [101012012] [9, 1, 6] [011101202]
Interesting Examples on Maximal Irreducible Goppa Codes
217
The analysis of parameters [n, k, d] and generator matrices shows that these 13 code representantives can not be equivalent, since they have diﬀerent minimum distances. We can observe that Γ1 is permutation equivalent to Γ3 ; Γ2 and Γ10 are permutation equivalent to Γ7 ; Γ11 is permutation equivalent to Γ6 ; Γ4 is permutation equivalent to Γ8 ; Γ9 are Γ12 are permutation equivalent to Γ13 . We can conclude that the number of diﬀerent classes of permutation non equivalent codes is 6 and not 13 (Γ5 composes a permutation equivalence class). Moreover Γ5 , Γ4 , Γ8 , Γ9 , Γ12 and Γ13 are monomially equivalent, so there are only 4 equivalence classes of non equivalent Goppa codes. In Table 2 we summarize the results of the group actions as follows. The action of T on S, T ≤ SS , creates 13 orbits: we report the number of elements in each orbit ST  and we count the number of Goppa codes corresponding to these elements (by abuse of notation we write ΓiT ). For each representative Γi , we consider its permutation group P(Γi ): we obtain the number of codes S9  ; the number of codes which are permutation equivalent to it by computing P(Γ i ) permutation equivalent to Γi under the actions of F G (and AGL = AGL(2, 3)) is F G AGL (and ALG∩P(Γ , respectively). We use symbols ♣, ♦, ♥ obtained as F G∩P(Γ i ) i ) and ♠ to denote the four monomial equivalence classes and symbols ⊕, , ⊗ to denote the permutation classes when they are diﬀerent from the monomial classes. We write P.E. to say Permutation Equivalent. In this example, the action of the only maximal permutation group AGL ≤ Sqn , which contains F G, is not suﬃcient to unify disjoint orbits of non equivalent codes. Only the whole symmetric group Sqn gives the right number of non equivalent Goppa codes. Remark 1. It is interesting to analyzing polynomials in P. We denote by P♣ the set of polynomials corresponding to Goppa codes in the ♣ equivalence class, and Table 2. Diﬀerent group actions ST  ΓiT  P(Γi )
Γi Γ1 Γ3 Γ2 Γ10 Γ7 Γ6 Γ11 Γ5 Γ4 Γ8 Γ9 Γ12 Γ13
♣ ♣ ♦ ♦ ♦ ♠ ♠ ♥ ♥ ♥ ♥ ♥ ♥
⊗ ⊕ ⊕
144 576 576 576 576 576 288 576 576 576 288 576 576 6480
S9  P(Γi )
18 2880 126 72 2880 P.E.Γ1 144 288 1260 144 288 P.E.Γ2 144 288 P.E.Γ2 144 480 756 72 480 P.E.Γ6 144 720 504 144 432 840 144 432 P.E.Γ4 72 288 1260 144 288 P.E.Γ9 144 288 P.E.Γ9 1530 4746
F G AGL P(Γi )∩F G P(Γi )∩ALG
18 72 144 144 144 144 72 144 144 144 72 144 144 1530
54 72 432 216 432 216 108 216 432 216 108 216 216 2934
218
M. Giorgetti
so on for the others, hence P = P♣ ∪ P♦ ∪ P♠ ∪ P♥ . We denote by P∗,Γi , the set of polynomials in P∗ , ∗ ∈ {♣, ♦, ♥,♠}, corresponding to the codes in ΓiT . It is easy to check that if g ∈ P♣ , g has the following shape x4 + εi x3 + εj x + εk for some εi , εj , εk ∈ Fqn and the x2 coeﬃcient is equal to zero. We know that P♣,Γ1  = 36 and Γ1T  = 18. This means that more than one polynomial generates the same code. We can show that couples of polynomials in P♣,Γ1 generate the same code. Moreover if g1 , g2 ∈ Γ1T generate the same Goppa code then they have the same coeﬃcients except for the constant term: we can obtain one constant term from the other by arising to the qth power. For example polynomials x4 +ε6 x3 +ε2 x+ε2 and x4 + ε6 x3 + ε2 x + ε6 generate the same Goppa code. A similar argument can conduce us to say that polynomials in P♣,Γ3 are 576, but they generate 72 diﬀerent Goppa codes. We have that 4 polynomials create the same Goppa code and we ﬁnd the following relation: given a polynomial g ∈ P♣,Γ3 , g = x4 +εi x3 +εj x+εk , then the following tree polynomials generate the same Goppa code: g = x4 + εiq x3 + εjq x + εkq , g = x4 + εj x3 + εi x + εk and g = x4 + εjq x3 + εjq x + εkq . Analogous arguments can be used to describe set of polynomials in P♦ , P♥ and P♠ . Codes in Ω(2, 5, 6): let us consider the codes studied in [3]. Let q = 2, n = 5 r = 6 and let f be a primitive element of Fqn with minimal polynomial x5 +x2 +1; let L = [f, f 2 , . . . , f 30 , 1, 0]. We consider the following two polynomials p1 := x6 + f 22 x5 + f 2 x4 + f 25 x3 + f 10 x + f 3 and p2 := x6 + f 20 x5 + f 19 x4 + f 19 x3 + f 12 x2 +f 4 x+f 2 8. They generate equivalent Goppa codes Γ1 (L, p1 ) and Γ2 (L, p2 ), but their roots are in diﬀerent orbits under the action of T over S = S(2, 5, 6). To know how many codes are in each orbits we take a representative code and we construct its orbit under the permutation group F G ≤ S32 . We verify that the action of the maximal subgroup AGL(2, 5) containing F G does not unify the two orbits. Also in this case, the only permutation group which gives the right number of non equivalent Goppa code is the whole symmetric group Sqn .
References 1. Chen, C.L.: Equivalent irreducible Goppa codes. IEEE Trans. Inf. Theory 24, 766– 770 (1978) 2. Dalla Volta, F., Giorgetti, M., Sala, M.: Permutation equivalent maximal irreducible Goppa codes. Designs, Codes and Cryptography (submitted), http://arxiv.org/abs/0806.1763 3. Ryan, J.A., Magamba, K.: Equivalent irreducible Goppa codes and the precise number of quintic Goppa codes of length 32. In: AFRICON 2007, September 2628, pp. 1–4 (2007) 4. Ryan, J.: Irreducible Goppa codes, Ph.D. Thesis, University College Cork, Cork, Ireland (2002)
Repeated Root Cyclic and Negacyclic Codes over Galois Rings Sergio R. L´ opezPermouth and Steve Szabo Department of Mathematics, Ohio University, Athens, Ohio45701, USA
Abstract. In this notice we describe the ideal structure of all cases of cyclic and negacyclic codes of length ps over a Galois ring alphabet that have not yet been discussed in the literature. Unlike in the cases reported earlier in the literature by various authors, the ambient spaces here are never chain rings. These ambient rings do nonetheless share the properties of being local and having a simple socle. Keywords: repeated root codes, cyclic codes, polynomial codes, Galois rings.
1
Introduction
While the literature on cyclic and negacylic codes over chain rings (such as Galois rings) has experienced much growth in recent years (see [1, 2, 3, 4, 5, 6]), in most instances the studies have been focused only on the cases where the characteristic of the alphabet ring is coprime to the code length, the socalled simple root codes. A few of the contributions to the study of the cases where the characteristic of the alphabet ring is not coprime to the code length (repeated root codes) are [7, 8, 9, 10, 11, 12]. In this paper we focus on the repeated root case where the code length is in fact ps , a power of a prime p. In all papers dealing with this type of code so far, the codes correspond to principal ideals because in every case considered thus far the code ambient has been a chain ring. It turns out that in the remaining cases the code ambients are no longer chain rings and in fact, not even principal ideal rings. The authors are submitting a complete account of their research elsewhere [13]; the results announced here are proven there and methods to calculate the minimum distance of all negacyclic and cyclic codes considered are also given there. The three cases of codes of length ps not previously tackled in the literature are: cyclic and negacyclic codes over GR(pa , m) for odd prime p and a > 1 and cyclic codes over GR(2a , m) for a > 1. It is easy to see that the ambients a GR(pa ,m)[x] ,m)[x] and GR(p for negacyclic and cyclic codes for an odd prime p xps +1 xps −1 and a > 1 are isomorphic under the isomorphism sending x to −x. Hence, all the results about the lattice structure of their ideals can be done for one and translated into the other in a straightforward way. Surprisingly, the structure a ,m)[x] of the cyclic codes over GR(2a , m) for a > 1 for the ambient ring GR(2 x2s −1 M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 219–222, 2009. c SpringerVerlag Berlin Heidelberg 2009
220
S.R. L´ opezPermouth and S. Szabo
is similar to the two other ambients in this paper and, in fact, the proofs of the corresponding results are highly parallel. For convenience, we opt to state all results on the cyclic case so all results can be stated with a single notation without restrictions on the parity of p. It is worthwhile noticing, however, that GR(2a ,m)[x] is not isomorphic to its negacyclic counterpart which is a chain ring x2s −1 [14]. One should also point out that in [13] where these results appear in their entirety including proofs, it was found to be better to work on the negacyclic case for the proofs when p is odd. In the case of p = 2, the results can be obtained using x + 1 or x − 1. For the reason mentioned, x + 1 was chosen to present the p = 2 case in [13] also. Here we will use x − 1 for the purposes of stating the results for arbitrary prime p in a concise way. We use standard ringtheoretic terminology which we include here for the convenience of the reader. For further information, the reader may consult a standard reference such [15]. For an account focusing on finite rings, see [16]. A left module M of a ring R is simple if M = 0 and M has no Rsubmodules other than (0) and M . The socle of a ring R denoted by soc(R), is the sum of of all minimal left ideals of R. The Jacobson Radical of ring R denoted by J(R), is the intersection of all maximal left ideals of R. A chain ring is a ring whose ideals are linearly ordered by inclusion. Since all rings in this paper are commutative, the use of left modules, left ideals, etc. is unnecessary in our context and the reader may simply ignore the word ”left” in each definition.”
2
The Main Results
The following results hold for ambient rings and p an arbitrary prime. Proposition 1. In
GR(pa ,m)[x] , xps −1
p
a−1
(ps −1)
(x − 1)
for integers a > 1, s > 0
the element (x − 1) is nilpotent.
Proposition 2. The ambient ring GR(pa ,m)[x] = p, x − 1. s xp −1 Proposition 3. The socle soc
GR(pa ,m)[x] xps −1
GR(pa ,m)[x] xps −1
GR(pa ,m)[x] xps −1
of
is a local ring with radical J
GR(pa ,m)[x] xps −1
is the simple module
.
Proposition 4. In the ambient ring
GR(pa ,m)[x] xps −1
1. p ∈ / x − 1 2. x − 1 ∈ / p a ,m)[x] 3. GR(p is not a chain ring s xp −1 4. p, x − 1 is not a principal ideal Theorem 1. The ambient ring that is not a chain ring.
GR(pa ,m)[x] xps −1
is a finite local ring with simple socle
Repeated Root Cyclic and Negacyclic Codes over Galois Rings
221
Example 1. To illustrate Theorem 1, we provide the following figure. It shows Z [x] the ideal lattice of x332−1 . Notice that the radical is 3, x − 1 and the socle is 3(x − 1)2 . More importantly, we see that the ring is not a chain ring. 1 3, x − 1 jjj ???TTTTTTT ?? TTTT jjjj j j j TTTT ?? jjj j j TTTT ?? j j j j TTTT j ? j j ? j TTTT j ? j j ? j TTTT j ? j2jj 3 + (x − 1) 3 + 2(x − x − 1 3, (x − 1) OO1) WWWWW OOOWZWZWZWZWZZZZ OOO WWWWW OOO WWWWZWZZZZZZZ OOO WWWWW WWWWW ZZZZZZZ OOO OOO WW ZZ WWWWW OOO O WWWWW ZZZZZZZZZZZZ WWWWWWWW OOO ZZZZZZZ WWWWW OOOOO WWWWW OOO Z W Z W W Z Z W W Z W Z Z W OOO ZZZZWZWZWZWWOWOOOO WWWWW ZZZW O 2 2 W 3 WWWWW 3 + (x − 1) , 3(x 3 + 2(x −O1) (x − 1)2 OOOWW−WZW1) Z OOO WWWWW OOO WZWZWZWZWZWZZZZZZZZ O W O W WWWWW ZZZZZZZ WWWWW OOO OOO ZZ WWWWW W OOO OOO WWWWW ZZZZZZZZZZZZ WWWWWWWW OOO O Z W Z W W Z WWWWW ZZZZZZZ WWWWW OOOOO OOO ZZZZZZZWWWW OO WWWWW OOO ZZZZWZWZWZWOO WWW O 2 2 3(x 3 + 6(x − 1) + (x 3 + (x − 1)2 TTT−T1) 3 + 3(x − 1) + ?? (x − 1) j − 1) TTTT ?? jjjj j j j TTTT ?? jj TTTT ?? jjjj TTTT ?? jjjj j j TTTT j TTTT ??? jjjj TT ? jjjjjj 2 3(x − 1) 0
3
Conclusion
The results in this paper shed light on a more general class of codes and their ambient structures, namely polynomial codes over Galois rings. It was shown here that such codes are not always principal. This abridged version of [13] should serve as insight for another paper by the authors which is in preparation at this time [17]. In that paper, the ambient rings for polynomial codes over Galois rings are studied which is the natural next step for the research presented here.
References 1. Calderbank, A.R., Sloane, N.J.A.: Modular and padic cyclic codes. Des. Codes Cryptogr. 6(1), 21–35 (1995) 2. Kanwar, P., L´ opezPermouth, S.R.: Cyclic codes over the integers modulo pm . Finite Fields Appl. 3(4), 334–352 (1997) 3. Kiah, H.M., Leung, K.H., Ling, S.: Cyclic codes over GR(p2 , m) of length pk . Finite Fields Appl 14(3), 834–846 (2008)
222
S.R. L´ opezPermouth and S. Szabo
4. Pless, V.S., Qian, Z.: Cyclic codes and quadratic residue codes over Z4 . IEEE Trans. Inform. Theory 42(5), 1594–1600 (1996) 5. S˘ al˘ agean, A.: Repeatedroot cyclic and negacyclic codes over a finite chain ring. Discrete Appl. Math. 154(2), 413–419 (2006) 6. Wolfmann, J.: Negacyclic and cyclic codes over Z4 . IEEE Trans. Inform. Theory 45(7), 2527–2532 (1999) 7. Abualrub, T., Oehmke, R.: Cyclic codes of length 2e over Z4 . Discrete Appl. Math. 128(1), 3–9 (2003); International Workshop on Coding and Cryptography (WCC 2001), Paris (2001) 8. Abualrub, T., Oehmke, R.: On the generators of Z4 cyclic codes of length 2e . IEEE Trans. Inform. Theory 49(9), 2126–2133 (2003) 9. Castagnoli, G., Massey, J.L., Schoeller, P.A., von Seemann, N.: On repeatedroot cyclic codes. IEEE Trans. Inform. Theory 37(2), 337–342 (1991) 10. Dougherty, S.T., Park, Y.H.: On modular cyclic codes. Finite Fields Appl. 13(1), 31–57 (2007) ¨ ¨ 11. Ozadam, H., Ozbudak, F.: A note on negacyclic and cyclic codes of length ps over a finite field of characteristic p (2009) (preprint) 12. van Lint, J.H.: Repeatedroot cyclic codes. IEEE Trans. Inform. Theory 37(2), 343–345 (1991) 13. L´ opezPermouth, S.R., Szabo, S.: On the Hamming weight of repeated root cyclic and negacyclic codes over Galois rings. arXiv:0903.2791v1 (submitted) 14. Dinh, H.Q.: Negacyclic codes of length 2s over Galois rings. IEEE Trans. Inform. Theory 51(12), 4252–4262 (2005) 15. Lam, T.Y.: A first course in noncommutative rings, 2nd edn. Graduate Texts in Mathematics, vol. 131. Springer, New York (2001) 16. McDonald, B.R.: Finite rings with identity. Pure and Applied Mathematics, vol. 28. Marcel Dekker Inc., New York (1974) 17. L´ opezPermouth, S.R., Szabo, S.: Polynomial codes over Galois rings (in preparation)
Construction of Additive ReedMuller Codes J. Pujol, J. Rif` a, and L. Ronquillo Department of Information and Communications Engineering, Universitat Aut` onoma de Barcelona, 08193Bellaterra, Spain
Abstract. The well known Plotkin construction is, in the current paper, generalized and used to yield new families of Z2 Z4 additive codes, whose length, dimension as well as minimum distance are studied. These new constructions enable us to obtain families of Z2 Z4 additive codes such that, under the Gray map, the corresponding binary codes have the same parameters and properties as the usual binary linear ReedMuller codes. Moreover, the first family is the usual binary linear ReedMuller family. Keywords: Z2 Z4 Additive codes, Plotkin construction, ReedMuller codes, Z2 Z4 linear codes.
1
Introduction
The aim of our paper is to obtain a generalization of the Plotkin construction which gave rise to families of Z2 Z4 additive codes such that, after the Gray map, the corresponding Z2 Z4 linear codes had the same parameters and properties as the family of binary linear RM codes. Even more, we want the corresponding codes with parameters (r, m) = (1, m) and (r, m) = (m−2, m) to be, respectively, any one of the nonequivalent Z2 Z4 linear Hadamard and Z2 Z4 linear 1perfect codes.
2
Constructions of Z2 Z4 Additive Codes
β In general, any nonempty subgroup C of Zα 2 × Z4 is a Z2 Z4 additive code, where α Z2 denotes the set of all binary vectors of length α and Zβ4 is the set of all βtuples in Z4 . β n Let C be a Z2 Z4 additive code, and let C = Φ(C), where Φ : Zα 2 × Z4 −→ Z2 is given by the map Φ(u1 , . . . , uα v1 , . . . , vβ ) = (u1 , . . . , uα φ(v1 ), . . . , φ(vβ )) where φ(0) = (0, 0), φ(1) = (0, 1), φ(2) = (1, 1), and φ(3) = (1, 0) is the usual Gray map from Z4 onto Z22 . Since the Gray map is distance preserving, the Hamming distance of a Z2 Z4 linear code C coincides with the Lee distance computed on the Z2 Z4 additive code C = φ−1 (C).
This work has been partially supported by the Spanish MICINN Grants MTM200603250, TSI200614005C0201, PCI2006A70616 and also by the Comissionat per a Universitats i Recerca de la Generalitat de Catalunya under grant FI2008.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 223–226, 2009. c SpringerVerlag Berlin Heidelberg 2009
224
J. Pujol, J. Rif` a, and L. Ronquillo
A Z2 Z4 additive code C is also isomorphic to an abelian structure like Zγ2 ×Zδ4 . Therefore, C has C = 2γ 4δ codewords and, moreover, 2γ+δ of them are of order two. We call such code C a Z2 Z4 additive code of type (α, β; γ, δ) and its binary image C = Φ(C) is a Z2 Z4 linear code of type (α, β; γ, δ). Although C may not have a basis, it is important and appropriate to define a generator matrix for C as: B2 Q2 G= , (1) B4 Q4 where B2 and B4 are binary matrices of size γ × α and δ × α, respectively; Q2 is a γ × βquaternary matrix which contains order two row vectors; and Q4 is a δ × βquaternary matrix with order four row vectors. 2.1
Plotkin Construction
In this section we show that the well known Plotkin construction can be generalized to Z2 Z4 additive codes. Definition 1 (Plotkin Construction). Let X and Y be any two Z2 Z4 additive codes of types (α, β; γX , δX ), (α, β; γY , δY ) and minimum distances dX , dY , respectively. If GX and GY are the generator matrices of X and Y, then the matrix GX GX GP = 0 GY is the generator matrix of a new Z2 Z4 additive code C. Proposition 2. Code C defined above is a Z2 Z4 additive code of type (2α, 2β; γ, δ), where γ = γX + γY , δ = δX + δY , binary length n = 2α + 4β, size 2γ+2δ and minimum distance d = min{2dX , dY }. 2.2
BAPlotkin Construction
Applying two Plotkin constructions, one after another, but slightly changing the submatrices in the generator matrix, we obtain a new construction with interesting properties with regard to the minimum distance of the generated code. We call this new construction BAPlotkin construction. Given a Z2 Z4 additive code C with generator matrix G we denote, respectively, by G[b2 ], G[q2 ], G[b4 ] and G[q4 ] the four submatricesB2 , Q2 , B4 , Q4 of G defined B2 Q2 in (1); and by G[b] and G[q] the submatrices of G, , , respectively. B4 Q4 Definition 3 (BAPlotkin Construction). Let X , Y and Z be any three Z2 Z4 additive codes of types (α, β; γX , δX ), (α, β; γY , δY ), (α, β; γZ , δZ ) and minimum distances dX , dY , dZ , respectively. Let GX , GY and GZ be the generator matrices of the Z2 Z4 additive codes X , Y and Z, respectively. We define a new code C as the Z2 Z4 additive code generated by
Construction of Additive ReedMuller Codes
225
⎛
GBA
⎞ GX [b] GX [b] 2GX [b] GX [q] GX [q] GX [q] GX [q] ⎜ 0 GY [b2 ] GY [b2 ] 0 2G [q2 ] G [q2 ] 3G [q2 ] ⎟ Y Y Y ⎜ ⎟ ⎟ =⎜ ⎜ 0 GY [b4 ] GY [b4 ] 0 GY [q4 ] 2GY [q4 ] 3GY [q4 ] ⎟ , ⎝ GY [b4 ] GY [b4 ] 0 0 0 GY [q4 ] GY [q4 ] ⎠ 0 0 0 0 GZ [q] 0 GZ [b]
where GY [q2 ] is the matrix obtained from GY [q2 ] after switching twos by ones in its γY rows of order two, and considering the ones from the third column of the construction as ones in the quaternary ring Z4 . Proposition 4. Code C defined above is a Z2 Z4 additive code of type (2α, α + 4β; γ, δ) where γ = γX + γZ , δ = δX + γY + 2δY + δZ , binary length n = 4α + 8β, size 2γ+2δ and minimum distance d = min{4dX , 2dY , dZ }.
3
Additive ReedMuller Codes
We will refer to Z2 Z4 additive ReedMuller codes as ARM. Just as there is only one RM family in the binary case, in the Z2 Z4 additive case there are m+2 2 families for each value of m. Each one of these families will contain any of the m+2 2 nonisomorphic Z2 Z4 linear extended perfect codes which are known to exist for any m [1]. We will identify each family ARMs (r, m) by a subindex s ∈ {0, . . . , m 2 }. 3.1
The Families of ARM(r, 1) and ARM(r, 2) Codes
We start by considering the case m = 1, that is the case of codes of binary length n = 21 . The Z2 Z4 additive ReedMuller code ARM(0, 1) is the repetition code, of type (2, 0; 1, 0) and which only has one nonzero codeword (the vector with only two binary coordinates of value 1). The code ARM(1, 1) is the whole space Z22 , thus a Z2 Z4 additive code of type (2, 0; 2, 0). Both codes ARM(0, 1) and ARM(1, 1) are binary codes with the same parameters and properties as the corresponding binary RM (r, 1) codes (see [2]). We will refer to them as ARM0 (0, 1) and ARM0 (1, 1), respectively.
1 1 and the generator 1) is G (0, 1) = The generator matrix of ARM0 (0, 0 11 matrix of ARM0 (1, 1) is G0 (1, 1) = . 01 For m = 2 we have two families, s = 0 and s = 1, of additive ReedMuller codes of binary length n = 22 . The family ARM0 (r, 2) consists of binary codes obtained from applying the Plotkin construction defined in Proposition 2 to the family ARM0 (r, 1). For s = 1, we define ARM1 (0, 2), ARM 1 (1, 2) and ARM1 (2, 2) as the codes with generator matrices G1 (0, 2) = 1 1 2 , G1 (1, 2) = ⎛ ⎞ 112 112 and G1 (2, 2) = ⎝ 0 1 0 ⎠, respectively. 011 011
226
3.2
J. Pujol, J. Rif` a, and L. Ronquillo
Plotkin and BAPlotkin Constructions
Take the family ARMs and let ARMs (r, m − 1), ARMs (r − 1, m − 1) and ARMs (r − 2, m − 1), 0 ≤ s ≤ m−1 2 , be three consecutive codes with parameters (α, β; γ , δ ), (α, β; γ , δ ) and (α, β; γ , δ ); binary length n = 2m−1 ; minimum distances 2m−r−1 , 2m−r and 2m−r+1 ; and generator matrices Gs (r, m − 1), Gs (r − 1, m − 1) and Gs (r − 2, m − 1), respectively. By using Proposition 2 and Proposition 4 we can prove the following results: Theorem 5. For any r and m ≥ 2, 0 < r < m, code ARMs (r, m) obtained by applying the Plotkin construction from Definition 1 on codes ARMs (r, m − 1) and ARMs (r − 1, m − 1) is a Z2 Z4 additive code of type (2α, 2β; γ, δ), where γ = γ + γ and δ = δ + δ ; binary length n = 2m ; size 2k codewords, where r m k= ; minimum distance 2m−r and ARMs (r − 1, m) ⊂ ARMs (r, m). i i=0 We consider ARMs (0, m) to be the repetition code with only one nonzero codeword (the vector with 2α ones and 2β twos) and ARMs (m, m) be the whole 2β space Z2α 2 × Z4 . Theorem 6. For any r and m ≥ 3, 0 < r < m, s > 0, use the BAPlotkin construction from Definition 3, where generator matrices GX , GY , GZ stand for Gs (r, m − 1), Gs (r − 1, m − 1) and Gs (r − 2, m − 1), respectively, to obtain a new Z2 Z4 additive ARMs+1 (r, m + 1) code of type (2α, α + 4β; γ, δ), where γ = γ + γ , δ = δ + γ + 2δ + δ ; binary length n = 2m+1 ; 2k code r m+1 words, where k = , minimum distance 2m−r+1 and, moreover, i i=0 ARMs+1 (r − 1, m + 1) ⊂ ARMs+1 (r, m + 1). To be coherent with all notations, code ARMs+1 (−1, m + 1) is defined as the all zero codeword code, code ARMs+1 (0, m + 1) is defined as the repetition code with only one nonzero codeword (the vector with 2α ones and α + 4β twos), whereas codes ARMs+1 (m, m + 1) and ARMs+1 (m + 1, m + 1) are defined as α+4β the even Lee weight code and the whole space Z2α , respectively. 2 × Z4 Using both Theorem 5 and Theorem 6 we can now construct all ARMs (r, m) codes for m > 2. Once applied the Gray map, all these codes give rise to binary codes with the same parameters and properties as the RM codes. Moreover, when m = 2 or m = 3, they also have the same codewords.
References 1. Borges, J., Rif` a, J.: A characterization of 1perfect additive codes. IEEE Trans. Inform. Theory 45(5), 1688–1697 (1999) 2. MacWilliams, F.J., Sloane, N.J.A.: The Theory of ErrorCorrecting Codes. NorthHolland Publishing Company, Amsterdam (1977)
Gr¨ obner Representations of Binary Matroids M. BorgesQuintana1, M.A. BorgesTrenard1, and E. Mart´ınezMoro2, 1
Dpto. de Matem´ atica, FCMC, U. de Oriente, Santiago de Cuba, Cuba [email protected], [email protected] 2 Dpto. de Matem´ atica Aplicada, U. de Valladolid, Castilla, Spain [email protected]
Abstract. Several constructions in binary linear block codes are also related to matroid theory topics. These constructions rely on a given order in the ground set of the matroid. In this paper we deﬁne the Gr¨ obner representation of a binary matroid and we show how it can be used for studying diﬀerent sets bases, cycles, activity intervals, etc.
1
Introduction
In this work we provide a representation of a binary matroid. We have tried to keep “Gr¨ obner machinery” [11] out of the paper for those readers non familiar with it. Eﬀective methods for computing the Gr¨obner representation that heavily depend of Gr¨ obner basis techniques can be found in other papers of the authors [1,2,3,4]. The starting point of the research in Gr¨ obner representations can be found in [5,11,12,16]. Let E be a ﬁnite set called ground set and I ⊂ 2E . We say that M = (E, I) is a matroid if the following conditions are satisﬁed: (i) ∅ ∈ I, (ii) If A ∈ I and B ⊆ A, then B ∈ I and (iii) If A, B ∈ I and A = B + 1, then there is an element x ∈ A \ B so that B ∪ {x} ∈ I. Let F2 be the ﬁnite ﬁeld with 2 elements and G be a binary matrix with column index set E. Let I be the collection of sets I ⊆ E such that the column submatrix indexed by I has F2 independent columns. If we consider ∅ ∈ I then M = (E, I) is the binary matroid with ground set E and independent sets I. A base B of M is a maximum cardinality set B ∈ I and a circuit C of M is a subset of E that indexes a F2 minimal dependent column submatrix of G. We call cycles to all the dependent sets (minimal and non minimal). G can be seen as a generator matrix of a code. From now on we consider only binary matrices that provide projective codes, i.e. those that any two columns of the generator matrix are diﬀerent (equivalently, the dual code has minimum weight at least 3). Circuits (respectively cycles) of the matroid deﬁned by G are in one to one correspondence with the minimum weight codewords (respectively codewords)
Partially funded by “Agencia Espa˜ nola de Cooperaci´ on Internacional”, Project A/016959/08. Partially funded by “Junta de Castilla y Le´ on” VA65A07 and “Ministerio Educaci´ on y Ciencia” I+D/I+D+I MTM200766842, MTM200764704.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 227–230, 2009. c SpringerVerlag Berlin Heidelberg 2009
228
M. BorgesQuintana, M.A. BorgesTrenard, and E. Mart´ınezMoro
of the dual code. In matroids the greedy algorithm always succeeds in choosing a base of minimum weight, formally Proposition 1. Let M = (E, I) a matroid where the elements of E are totally ordered, then 1. there is a base A = {a1 , a2 , . . . , ak } with a1 < a2 < . . . < ak , called the ﬁrst basis, such that for any other base X = {x1 , x2 , . . . , xk } with x1 < x2 < . . . < xk we have that ai ≤ xi . 2. there is a base B = {b1 , b2 , . . . , bk } with b1 < b2 < . . . < bk , called the last basis, such that for any other base X = {x1 , x2 , . . . , xk } with x1 < x2 < . . . < xk we have that bi ≥ xi . The ﬁrst base is computed by a greedy algorithm, {a1 } is the smallest independent set of size 1, then a2 is the smallest element such that {a1 , a2 } is independent, and so on. The last base is built in a similar way.
2
A Gr¨ obner Representation of a Binary Matroid
Let {ei }ni=1 be the canonical basis of Fn2 (ie. ei is the vector with 1 in position i and 0 elsewhere). We consider the following total order on the elements of Fn2 . Let x, y ∈ Fn2 we say that x ≺e y if supp(x) ≤ supp(y), or, if supp(x) = supp(y) then x ≺ y where ≺ is the lexicographic ordering on the vectors of Fn2 . Consider a binary matroid and C its associated projective code. We deﬁne the Gr¨ obner representation of the matroid as follows, Canonical forms. The set N is a transversal of Fn2 /C ⊥ such that for each n ∈ N \ {0} there exists ei 1 ≤ i ≤ n such that n = n + ei and n ∈ N . Matphi. Let φ : N × {ei }ni=1 → N be the function that maps each pair (n, ei ) to the element in N representing the coset containing n + ei . We call the pair N, φ a Gr¨ obner representation of M. Suppose we consider the ideal given by I(M) = {xa − xb  (a − b) ∈ C ⊥ } ⊆ F2 [x1 , x2 , . . . , xn ] where (abusing the notation) we consider an element ain Fn2 as a vector a = n obner (a1 , a2 , . . . , an ) ∈ Zn then xa represents the monomial i=1 xai n . A a Gr¨ representation [11] of the ideal I(M) is given by N, φ. An algorithm for computing a Gr¨ obner basis of the ideal can be found in [1]. This greedy algorithm computes the ﬁrst base given N, φ 1. F B ← 0, v ← 0. 2. for i = 1, . . . , n do (if φ(v, ei ) = 0 then F B ← F B + ei , v ← φ(v, ei ) endif ) enddo 3. Return F B. The returned vector is a 01 vector where the 1 index the elements on the ﬁrst basis. Same algorithm applies for the last base just changing the order in the counter for. One can compute a trellis for a linear code isomorphic to Muder’s minimal trellis [13] based on the ﬁrst and last basis, see [6].
Gr¨ obner Representations of Binary Matroids
3
229
Activities
Let M = (E, I) be a matroid on a linearly ordered set E, and let A ⊆ E. We say that an element e ∈ E is Mactive with respect to A if there is a circuit γ such that e ∈ γ ⊆ A ∪ {e} and e is the smallest element of the circuit. We denote by ActM (A) the set of Mactive elements with respect to A. If C is the binary code associated to the matroid, then a codeword c = (c1 , . . . , cn ) of the code C ⊥ (i.e. a cycle of the matroid) is said to have the span interval [i, j] where i ≤ j, if ci cj = 0, and cl = 0 if l < i or j < l. In this case the codeword c is said to be supactive in the interval [i, j − 1], and has span length j − i + 1. Supactive words in binary codes are closely connected with the construction and analysis of trellis oriented generator matrix of C ⊥ (see [8,10] and the references therein). Given N, φ for a matroid M, the nodes of the GRgraph (Gr¨ obner representation graph) be the set N of canonical forms and there is an edge from node n1 to n2 if there is a i, 1 ≤ i ≤ n such that φ(n1 , ei ) = n2 , and the label of that edge is ei . Let A ⊆ E = [1, n] we deﬁne the graph GRA obtained from the GRgraph of the matroid by deleting all the edges labelled with ei , such that i ∈ E \ A and element j is active if: 1. Either j ∈ A and there is a circuit in GRA such that all the labels el fulﬁll l ≥ j and the (binary) sum of all the labels is diﬀerent from 0. 2. or j ∈ / A and there is a circuit in GRA∪{j} such that all the labels el fulﬁll l ≥ j and the (binary) sum of all the labels is diﬀerent from 0. Let A be an interval and let IA the elimination ideal of I = I(M) (see [7] for a deﬁnition) for the variables in {xi }i∈A . Let g the greatest element in A, then the cycles correspond to the nonzero binomials in e
References 1. BorgesQuintana, M., BorgesTrenard, M.A., Fitzpatrick, P., Mart´ınezMoro, E.: On a Gr¨ obner bases and combinatorics for binary codes. Appl. Algebra Engrg. Comm. Comput. 195, 393–411 (2008) 2. BorgesQuintana, M., BorgesTrenard, M.A., Mart´ınezMoro, E.: A general framework for applying FGLM techniques to linear codes. In: Fossorier, M.P.C., Imai, H., Lin, S., Poli, A. (eds.) AAECC 2006. LNCS, vol. 3857, pp. 76–86. Springer, Heidelberg (2006)
230
M. BorgesQuintana, M.A. BorgesTrenard, and E. Mart´ınezMoro
3. BorgesQuintana, M., BorgesTrenard, M.A., Mart´ınezMoro, E.: On a Gr¨ obner bases structure associated to linear codes. J. Discrete Math. Sci. Cryptogr. 102, 151–191 (2007) 4. BorgesQuintana, M., BorgesTrenard, M.A., Mart´ınezMoro, E.: A Gr¨ obner representation of linear codes. In: Advances in Coding Theory and Cryptography, pp. 17–32. World Scientiﬁc, Singapore (2007) 5. BorgesQuintana, M., BorgesTrenard, M.A., Mora, T.: Computing Gr¨ obner Bases by FGLM Techniques in a Noncommutative Settings. J. Symb.Comp. 30, 429–449 (2000) 6. Cameron, P.: Codes, matroids and trellises, citeseerx.ist.psu.edu/343758.html 7. Cox, D., Little, J., O’Shea, D.: Ideals, varieties, and algorithms (1992) 8. Esmaeili, M., Gulliver, T., Secord, N.: Trellis complexity of linear block codes via atomic codewords. In: Chouinard, J.Y., Fortier, P., Gulliver, T.A. (eds.) Information Theory 1995. LNCS, vol. 1133, pp. 130–148. Springer, Heidelberg (1996) 9. Faug`ere, J., Gianni, P., Lazard, D., Mora, T.: Eﬃcient Computation of ZeroDimensional Gr¨ obner Bases by Change of Ordering. J. Symb. Comp. 16(4), 329–344 (1993) 10. Kschischang, F.R., Sorokine, V.: On the trellis structure of block codes. IEEE Trans. Inform. Theory 41, 1924–1937 (1995) 11. Mora, T.: Solving Polynomial Equation Systems II: Macaulay’s Paradigm and Gr¨ obner Technology. Cambridge Univ. Press, Cambridge (2005) 12. Mora, T.: The FGLM Problem and M¨ oller’s Algorithm on Zerodimensional Ideals. In: [15] 13. Muder, D.J.: Minimal trellises for block codes. IEEE Trans. Inform. Theory 34(5, part 1), 1049–1053 (1988) 14. Oxley, J.G.: Matroid Theory. Oxford University Press, Oxford (1992) 15. Sala, M., Mora, T., Perret, L., Sakata, S., Traverso, C. (eds.): Gr¨ obner Bases, Coding, and Cryptography. Springer, Heidelberg (2009) (to appear) 16. Reinert, B., Madlener, K., Mora, T.: A Note on Nielsen Reduction and Coset Enumeration. In: Proc. ISSAC 1998, pp. 171–178. ACM, New York (1998)
A Generalization of the ZigZag Graph Product by Means of the Sandwich Product David M. Monarres1 and Michael E. O’Sullivan2 1
2
Grossmont College El Cajon, CA San Diego State University San Diego, CA
Abstract. In this paper we develop a generalization of the zigzag graph product created by Reingold, Vadhan, and Widgerson[8]. We do this by using a broader definition of directed and undirected graphs in which incidence is determined by functions from the edge set to the vertex set. We introduce the sandwich product of graphs and show how our general zigzag product is a sandwich product.
1
Introduction
In this extended abstract we present a generalization of the zigzag product of graphs which is defined in the manner outlined in the paper by Hoory et.al.[3]. For this definition let – – – –
G be a mregular graph on n verticies. H be a dregular graph on m verticies. Let v1 , v2 , . . . , vm be an enumeration of V (H) For each u ∈ V (G), fix an enumeration e1u , e2u , . . . , em u of the edges incident with u
z H, is a Definition 1. The zigzag product of graphs G and H, denoted G graph on V (G) × V (H) for which (u, vi ) is adjacent to (w, vj ) if and only if there exists k, l ∈ {1, 2, . . . , m} such that both
– (vi , vk ) , (vl , vj ) ∈ E(H), and – eku = elu The development of the zigzag product was a seminal step in the explicit construction of expander graphs. These graphs have been used to address fundametal problems in computer science, such as network design[6,7] and complexity theory[11,10], and areas of pure mathematics, such as topology [1] and measure theory [5]. For a more general survey of the development of the construction of exapnder graphs see Hoory, et al. [3].
This research was supported by NSF CCF Theoretical Foundations grant #0635382.
M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 231–234, 2009. c SpringerVerlag Berlin Heidelberg 2009
232
2
D.M. Monarres and M.E. O’Sullivan
Graphs, Sandwiches, and the ZigZag Product
Our approach does not require the regularity of the first graph to be equal to the number of edges in the second graph, moreover, neither graph needs to be regular. We use definitions of digraph and of graph that allow for loops and parallel edges. The definition is perhaps not standard but is found in Harary[2] (where the term net is used instead of digraph) and is close to the definitions used by MacLane[4], and Serre [9]. We introduce the sandwich product of graphs and we show that the zigzag product of graphs may be concisely presented as the sandwich product of two relatively simple graphs. 2.1
Directed and Undirected Graphs
In the following definitions, a graph is a digraph with additional structure. Definition 2. A directed graph (or digraph), denoted by the letter G, is a collection of two sets E(G) and V (G) together with two functions σG and τG from E(G) to V (G) where – E(G) and V (G) are known as the edge and vertex sets of the net G. – σG and τG are known as the source and terminus functions of the net G. Definition 3. An undirected graph, or just graph, is a digraph G in which there exists a unique involution ρG : E → E such that τG = σG ◦ ρG . We call the function ρG the rotation mapping of the graph G. The term rotation map was used in [8]. In the usual depiction of a graph an edge between two vertices represents two edges according to the preceding definition— one going each direction—and the two are images of each other under the involution ρG . The tip to tail concatenation of the graphs used in the definitions of the zigzag and replacement products has a connection to a more general construct, the pullback of mappings of sets. Definition 4. Let A, B, and C be sets and let f : A → C and g : B → C be functions. Then the pullback of set functions f and g is the set A ×C B = {(a, b) f (a) = g (b)} together with the standard coordinate projections π1 and π2 . We can look at the tip to tail traversing of the edges of two graphs in the zigzag product as really just the pullback of the terminus of one graph and the source of the other. More generally we may define the concatenation of any two graphs as follows: Definition 5. Let G and H be directed graphs with a common vertex set V and let E(G) ×V E(H) be the pullback of the mappings τG and σH . Then the c H, is the directed graph with concatenation of G with H, denoted by G vertex set V , edge set E(G)×V E(H), source map σ = σG ◦ π1 and terminus map τ = τH ◦ π2 .
A Generalization of the ZigZag Graph Product
233
c H is not guaranteed to be a graph, the double concatenation of the While G c c G always is. We will call this type of concatenation the sandwich form G H product.
Definition 6. Let G and H be graphs with common vertex set V . Then the s H, is the graph defined by the sandwich product of G with H, denoted G s c c triple concatination G H = G H G The sandwich product is a “zigzag” like product but with the sole requirement that they have the same vertex set. 2.2
A ZigZag Sandwich
We now can display the zigzag product of two graphs as the sandwich product of two simple graphs. The first factor we call the zig product and the second factor the zag product. Definition 7. Let G and H be graphs. The zig product of G with H, denoted i H, is V (G) copies of the graph H defined by G idV (G) ×ρH
V (G) × E(H) idV (G) ×σH
V (G) × V (H)
The zig product graph will lie at the beginning and end of our product much like how we start and end in a “cloud” when we traverse the replacement product graph in a “zigzag” fashion. We now need to define our analog to the bridges between the “clouds” in the zigzag. We will call this graph the zag product. The zigzag product is the sandwich product of the zig and the zag. Definition 8. Let G and H be graphs and φ : E(G) → V (H) be any mapping. a H, is the graph with vertex Then the zag product of G and H, denoted G a H) = E(G), source mapping σzag = σg × φ set V (G) × V (H), edge set E(G and rotation mapping ρzag = ρG as depicted in the diagram ρG
E(G) σG ×φ
V (G) × V (H) The zigzag product is then the sandwich product of the zig and the zag. z H = (G i H) s (G a H) G
234
D.M. Monarres and M.E. O’Sullivan
The definition above requires only a mapping from the edge set of G to the vertex set of H. It is more general then the one in the paper by Reingold et al. [8] in which G must be regular with regularity equal to the number of vertices in H.
References 1. Gromov, M.: Spaces and questions. Geom. Funct. Anal. (Special Volume, Part I), 118–161 (2000); GAFA 2000 (Tel Aviv, 1999) 2. Harary, F., Norman, R.Z., Cartwright, D.: Structural Models: An Introduction to the Theorey of Directed Graphs. John Wiley & Sons, Inc., Chichester (1966) 3. Hoory, S., Linial, N., Wigderson, A.: Expander Graphs and their Applications. Bulletin of the American Mathematical Society 43(4), 439–561 (2006) 4. MacLane, S.: Categories for the working mathematician. Springer, Heidelberg (1971) 5. Lubotzky, A.: Discrete groups, expanding graphs and invariant measures. Progress in Mathematics, vol. 125. Birkh¨ auser, Basel (1994); With an appendix by Rogawski, J.D. 6. Pippenger, N.: Sorting and selecting in rounds. SIAM Journal on Computing 16(6), 1032–1038 (1987) 7. Pippenger, N., Yao, A.C.: Rearrangeable networks with limited depth. SIAM Journal of Algebraic and Discrete Methods 3, 411–417 (1982) 8. Reingold, O., Vadhan, S., Widgerson, A.: Entropy waves, the zigzag graph product, and new constantdegree expanders. Annals of Mathmatics 155, 157–187 (2002) 9. Serre, J.P.: Trees. Springer, Heidelberg (1980) 10. Valiant, L.G.: Graphtheoretic arguments in lowlevel complexity. In: Gruska, J. (ed.) MFCS 1977. LNCS, vol. 53, pp. 162–176. Springer, Heidelberg (1977) 11. Urquhart, A.: Hard examples for resolution. Journal of the Association for Computing Machinery 34(1), 209–219 (1987)
Novel Eﬃcient Certiﬁcateless Aggregate Signatures Lei Zhang1 , Bo Qin1,3 , Qianhong Wu1,2 , and Futai Zhang4 1
3
UNESCO Chair in Data Privacy Department of Computer Engineering and Mathematics Universitat Rovira i Virgili Av. Pa¨ısos Catalans 26, E43007 Tarragona, Catalonia {lei.zhang,bo.qin,qianhong.wu}@urv.cat 2 Key Lab. of Aerospace Information Security and Trusted Computing Ministry of Education, School of Computer, Wuhan University, China Dept. of Maths, School of Science, Xi’an University of Technology, China 4 College of Mathematics and Computer Science Nanjing Normal University, Nanjing, China [email protected]
Abstract. We propose a new eﬃcient certiﬁcateless aggregate signature scheme which has the advantages of both aggregate signatures and certiﬁcateless cryptography. The scheme is proven existentially unforgeable against adaptive chosenmessage attacks under the standard computational DiﬃeHellman assumption. Our scheme is also eﬃcient in both communication and computation. The proposal is practical for message authentication in manytoone communications.
1
Introduction
The notion of newly introduced aggregate signatures [2] allows an eﬃcient algorithm to aggregate n signatures of n distinct messages from n diﬀerent signers into one single signature. The resulting aggregate signature can convince a veriﬁer that the n signers did indeed sign the n original messages. These properties greatly reduce the resulting signature size and make aggregate signatures very applicable to message authentication in manytoone communications. The inception of certiﬁcateless cryptography [1] eﬃciently addresses the key escrow problem in IDbased Cryptography. In certiﬁcateless cryptosystems, a trusted Key Generation Center (KGC) helps each user to generate his private key. Unlike IDbased cryptosysems, the KGC in certiﬁcateless cryptosystems merely determines a partial private key rather than a full private key for each user. Then the user computes the resulting private key with the obtained partial private key and a selfchosen secret value. As for the public key of each user, it is computed from the KGC’s public parameters and the secret value chosen by the user. With this mechanism, certiﬁcateless cryptosystems avoid the key escrow problem in IDbased cryptosystems. The advantages of certiﬁcateless cryptosystems motivate a number of further studies. The ﬁrst certiﬁcateless signature scheme was presented by AlRiyami M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 235–238, 2009. c SpringerVerlag Berlin Heidelberg 2009
236
L. Zhang et al.
and Paterson [1]. A security deﬁnition of certiﬁcateless signature was formalized in [7] and the AlRiyamiPaterson scheme was analyzed in this model. The security model of CLS schemes was further enhanced in [6,8,9]. Two Certiﬁcateless Aggregate Signature (CLAS) schemes were recently presented [5] with security proofs in a weak model similar to that in [7]. Subsequently, a new CLAS scheme was proposed in [10] and proven secure in a stronger security model. As for eﬃciency, the existing schemes require a relatively large number of paring computations in the process of veriﬁcation and suﬀer from long resulting signatures. Our Contribution. In this paper, we propose a novel CLAS scheme which is more eﬃcient than existing schemes. By exploiting the random oracle model, our CLAS scheme is proven existentially unforgeable against adaptive chosenmessage attacks under the standard CDH assumption. It allows multiple signers to sign multiple documents in an eﬃcient way and the total veriﬁcation information (the length of the signature), consists only 2 group elements. Our scheme is also very eﬃcient in computation and the veriﬁcation procedure need only a very small constant number of pairing computations, independent of the number of aggregated signatures.
2
Our Certiﬁcateless Aggregate Signature Scheme
In this section, we propose a new certiﬁcateless aggregate signature scheme. Our scheme is realized in groups which allowing eﬃcient bilinear maps [3]. 2.1
The Scheme
The speciﬁcation of the scheme is as follows. – Setup: Given a security parameter , the KGC chooses a cyclic additive group G1 which is generated by P with prime order q, chooses a cyclic multiplicative group G2 of the same order and a bilinear map e : G1 ×G1 −→ G2 . The KGC also chooses a random λ ∈ Zq∗ as the masterkey and sets PT = λP , chooses cryptographic hash functions H1 ∼ H4 : {0, 1}∗ −→ G1 , H5 : {0, 1}∗ −→ Zq∗ . The system parameter list is params = (G1 , G2 , e, P, PT , H1 ∼ H5 ). – PartialPrivateKeyExtract: This algorithm is performed by KGC that accepts params, masterkey λ and a user’s identity IDi ∈ {0, 1}∗, and generates the partial private key for the user as follows. 1. Compute Qi,0 = H1 (IDi , 0), Qi,1 = H1 (IDi , 1). 2. Output the partial private key (Di,0 , Di,1 ) = (λQi,0 , λQi,1 ). – UserKeyGen: This algorithm takes as input params, a user’s identity IDi , selects a random xi ∈ Zq∗ and sets his secret/public key as xi /Pi = xi P . – Sign: To sign a message Mi using the signing key (xi , Di,0 , Di,1 ), the signer, whose identity is IDi and the corresponding public key is Pi , ﬁrst chooses a onetimeuse string Δ then performs the following steps.
Novel Eﬃcient Certiﬁcateless Aggregate Signatures
1. 2. 3. 4. 5.
237
Choose a random ri ∈ Zq∗ , compute Ri = ri P . Compute T = H2 (Δ), V = H3 (Δ), W = H4 (Δ). Compute hi = H5 (Mi ΔIDi Pi ). Compute Si = Di,0 + xi V + hi (Di,1 + xi W ) + ri T . Output σi = (Ri , Si ) as the signature on Mi .
– Aggregation: Anyone can act as an aggregate signature generater who can aggregate a collection of individual signatures that use the same string Δ. For an aggregating set (which has the same string Δ) of n users with identities {ID1 , · · · , IDn } and the corresponding public keys {P1 , · · · , Pn }, and messagesignature pairs (M1 , σ1 = (R1 , S1 )), · · · , (Mn , σn = (Rn , Sn )) respectively, the aggregate signature generater computes from {U1 , · · · , Un } n n R = i=1 Ri , S = i=1 Si and outputs the aggregate signature σ = (R, S). – Aggregate Verify: To verify an aggregate signature σ = (R, S) signed by n users with identities {ID1 , ..., IDn } and corresponding public keys {P1 , ..., Pn } on messages {M1 , ..., Mn } under the same string Δ, the veriﬁer performs the following steps. 1. Compute T = H2 (Δ), V = H3 (Δ), W = H4 (Δ), and for all i, 1 ≤ i ≤ n compute hi = H5 (Mi ΔIDi Pi ), Qi,0 = H1 (IDi , 0), Qi,1 = H1 (IDi , 1). n n n ? 2. Verify P ) = e(PT , i=1 Qi,0 + i=1 hi Qi,1 )e(T, R)e(W, i=1 hi Pi ) e(S, n e(V, i=1 Pi ). If the equation holds, output true. Otherwise, output false. In our scheme, each user in an aggregating set must use the same onetimeuse string Δ when signing. As mentioned in [4], it is straightforward to choose such a Δ in certain settings. For example, if the signers have access to some loosely synchronized clocks, Δ can be chosen based on the current time. Furthermore, if Δ is suﬃciently long, then it will be statistically unique. By exploiting a approach similar to that presented in [4], the onetimeuse restriction on common reference string Δ in the above scheme can also be removed to achieve better applicability. 2.2
Security Analysis
Two types of adversaries, who can access to services in addition to those provided to the attacker against regular signatures, are considered in CLPKC – Type I adversary and Type II adversary. A Type I adversary is not allowed to access to the masterkey, but he can replace the public key of any user with a value of his choice. A Type II adversary can access to the masterkey but he cannot replace the public key of any user. In a secure CLAS scheme, it is infeasible for Type I adversary and Type II adversary to forge a valid signature. Under the standard computational DiﬃeHellman assumption, the proposed CLAS scheme is provably secure against both types of adversaries in the random model. The formal security proof is in the full version of this paper.
238
3
L. Zhang et al.
Conclusion
We presented an eﬃcient certiﬁcateless aggregate signature scheme. To verify an aggregate signature signed by n users on n messages under the same string, a veriﬁer only needs to compute four pairing operations. The proposal is provably secure in the random oracle model assuming that the computational DiﬃeHellman problem is hard. Our CLAS scheme can be applied to authentication in bandwidth limited scenarios such as manytoone communications.
Acknowledgments and Disclaimer This paper is partly supported by the Spanish Government through projects CONSOLIDER INGENIO 2010 CSD200700004 ARES, TSI200765406C0301 EAEGIS and by the national nature science foundation of China (No. 60673070). The views of the author with the UNESCO Chair in Data Privacy do not necessarily reﬂect the position of UNESCO nor commit that organization.
References 1. AlRiyami, S.S., Paterson, K.G.: Certiﬁcateless Public Key Cryptography. In: Laih, C.S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 452–473. Springer, Heidelberg (2003) 2. Boneh, D., Gentry, C., Shacham, H., Lynn, B.: Aggregate and Veriﬁably Encrypted Signatures from Bilinear Maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003) 3. Boneh, D., Franklin, M.: Identitybased Encryption from the Weil Pairing. SIAM J. Comput. 32, 586–615 (2003); a Preliminary Version Appeared. In: Kilian, J. (ed.): CRYPTO 2001. LNCS, vol. 2139, pp. 213229. Springer, Heidelberg (2001) 4. Gentry, C., Ramzan, Z.: IdentityBased Aggregate Signatures. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 257–273. Springer, Heidelberg (2006) 5. Gong, Z., Long, Y., Hong, X., Chen, K.: Two Certiﬁcateless Aggregate Signatures from Bilinear Maps. In: Proc. of the Eighth ACIS International Conference on Software Engineering, Artiﬁcial Intelligence, Networking, and Parallel/Distributed Computing, pp. 188–193 (2007) 6. Hu, B.C., Wong, D.S., Zhang, Z., Deng, X.: Key Replacement Attack Against a Generic Construction of Certiﬁcateless Signature. In: Batten, L.M., SafaviNaini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 235–246. Springer, Heidelberg (2006) 7. Huang, X., Susilo, W., Mu, Y., Zhang, F.: On the Security of Certiﬁcateless Signature Schemes from Asiacrypt 2003. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds.) CANS 2005. LNCS, vol. 3810, pp. 13–25. Springer, Heidelberg (2005) 8. Huang, X., Mu, Y., Susilo, W., Wong, D.S., Wu, W.: Certiﬁcateless Signature Revisited. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 308–322. Springer, Heidelberg (2007) 9. Zhang, Z., Wong, D.: Certiﬁcateless PublicKey Signature: Security Model and Eﬃcient Construction. In: Zhou, J., Yung, M., Bao, F. (eds.) ACNS 2006. LNCS, vol. 3989, pp. 293–308. Springer, Heidelberg (2006) 10. Zhang, L., Zhang, F.: A New Certiﬁcateless Aggregate Signature Scheme. Computer Communications (2009), doi:10.1016/j.comcom.2008.12.042
Bounds on the Number of Users for Random 2Secure Codes Manabu Hagiwara1,2, Takahiro Yoshida1,2 , and Hideki Imai1,3 1
1
Research Center for Information Security, National Institute of Advanced Industrial Science and Technology, 11813 Sotokanda, Chiyodaku, Tokyo 1010021, Japan [email protected] 2 Center for Research and Development Initiative, Chuo University, 11327 Kasuga, Bunkyoku, Tokyo, Japan [email protected] 3 Faculty of Science and Engineering, Chuo University, Kasuga, Bunkyoku, Tokyo. 1128551, Japan [email protected]
Introduction
An illegal redistribution problem is a problem that a regular user who received content redistributes without legal permutation. This becomes a social problem all over the world. As it is indicated in [2], this problem has been known since a few or more handred years ago. Boneh and Shaw formalize this problem as collusionsecure ﬁngerprinting (csecure code) for digital data [2]. After their work, study of csecure code has become one of popular research stream for information security [1]. One of remarkable results is called Tardos’s code [5]. Tardos’s code achieved to construct approximately optimal length csecure codes with random coding method. On the other hand, it is an interesting research way to restrict the number of colluders to small values [3]. Small colluder cases give us many knowledge, techniques, and examples for csecure code theory. In [4], it is shown that coinﬂipping codes are useful for 2secure code which is a csecure code restricted to against at most two colluders. In this extended abstruct, we investigate the coinﬂipping codes as 2secure codes. We give three formulas to represent the success probability of simple tracing algorithm for the coinﬂipping codes. It shows that even if the code length is short, e.g. 128 bits, it succeeds to trace one of colluders with high probability, e.g. 0.9999. A nontrivial achievable rate for our coinﬂipping code is also given.
2
Notations and Definitions
Let n be a positive integer. First, the administrator divides a content to n or more parts, chose n parts from the divided contents. A user i can requests to obtain a copy of the content one time. The administrator registers the person i. This is formalized as follows: The set of registered M. BrasAmor´ os and T. Høholdt (Eds.): AAECC 2009, LNCS 5527, pp. 239–242, 2009. c SpringerVerlag Berlin Heidelberg 2009
240
M. Hagiwara, T. Yoshida, and H. Imai
users U is deﬁned as a set of integers. For ease, the set U is starting with 1 and is consecutive, i.e. U = {1, 2, 3, . . . }. The administrator ﬂips coins n times. We assume that the probability to have face side is 0.5 and the one of the other side is 0.5 also. If jth coin is face side, (i) (i) we put cj = 0. If otherwise, put cj = 1. Therefore the administrator obtains (i)
(i)
(i)
nbit sequence c(i) = (c1 , c2 , . . . , cn ). The administrator memorizes c(i) to a database which the only administrator accesses. We call the set of codewords (i) constructed by coinﬂipping coinflipping code. The bit cj is encrypted and is embedded to jth part of the requested content. Assume that any user cannot decrypt and cannot distinguish which bit is embedded. The user i receives the requested content which the secret nbit sequence c(i) is embedded by the administrator. 2.1
Collusion Attack under MarkingAssumption
We introduce the notion, called markingassumption. For details, see the reference [2]. It is assumed that any user cannot delete the embedded codeword or a part of the codeword from a distributed content. The only attack users can is to shuﬄe the distributed content. We assumed that user cannot distinguish which bit is embedded to the distributed contents. However, it is possible for (a) (b) users a and b to ﬁnd a part associated to jth part if the diﬀerent bits cj = cj are embedded by comparing their content. 2.2
Tracing Algorithm for CoinFlipping Codes
If illegally redistributed content is found somewhere, the administrator decrypts a bit sequence y from the content. The administrator tries to trace at least one of the colluders by analyzing y. A tracing algorithm T is an algorithm which inputs a bit sequence and outputs a subset of the users U. The details of our algorithm are the following: For the input y and an user i ∈ U, calculate Hamming distance d(c(i) , y). For i, denote the Hamming distance by si and call it the score of i for y. Since a value of Hamming distance is nonnegative integer, we have minimum value s in {d(c(i) , y)i ∈ U}. Deﬁne a set Us := {i ∈ Ud(c(i) , y) = s}. Then output Us . We denote the output Us by T (y). Remark that the output Us is not the empty set. We call the algorithm T (y) Hamming distance tracing algorithm.
3
Main Results
Let us introduce the numerical security indicator for coinﬂipping codes as 2secure codes. We propose the success probability Sn,U by putting: Sn,U = Prob[T (y) ⊂ {colluders}, y : illegally redistributed code]. = Prob[c(1) , c(2) , . . . , ∈R {0, 1}n , a, b ∈R U, y = Sa,b (c(a) , c(b) ), T (y) ⊂ {a, b}], where Sa,b (c(a) , c(b) ) is the best strategy for a, b with inputs (c(a) , c(b) ) and Ex() is the expected value function.
Bounds on the Number of Users for Random 2Secure Codes
241
Theorem 1. Let n be the code length of a coinflipping code and U the number of the users. Then the success probability Sn,U is written by the following two forms: −(U−2)h(n,(s−1)/2) , 1) 21n 0≤s≤n,s:odd n+1 s 2 2) Exx∈{0,1}n [( 12 )(U−2)h(n,wt(x)/2) ], where h(n, a) := n − log2 (2n − 0≤t≤a nt )) and wt(x) is the Hamming weight of x. We call Sn,U a security parameter. How Sn,U should be small depends on the application. It is enough that the users give up redistributing illegally. It is easy to calculate h(n, a) if n is not so huge, e.g. n = 128, and 0 ≤ a < n/2 by using a math software, e.g. MuPAD, MATLAB, MAPLE, Mathematica and so on. Once we obtained a list of h(n, a), it is easy to calculate Sn,U by the form in Theorem 1 (1). The following is a table of upper bounds on the maximal number of users for satisfying Sn,U > 0.99, 0.999, 0.9999. Table 1. The Upper Bounds on The Number of Users for Satisfying a Given Security Parameter and a Code Length n = 32 n = 64 n = 128
Sn,U > 0.99 Sn,U > 0.999 Sn,U 3 2 57 7 68031 5363
> 0.9999 2 2 516
From now, let introduce the following game G: (1) Toss up n coins. Count the number of the face sides. (2) Repeat step (1) U − 2 times. Put the maximal number of the face sides and denote it by s1 . (3) Toss up n coins again. Count the number of the faces and denote it by s2 . (4) You win if 2s1 + s2 < 2n. You lose if the otherwise. Denote the winning probability of the above game by Wn,U . Theorem 2. For U ≥ 3, n ≥ 1, Wn,U = Sn,U . It is interesting to know a theoretical capacity on the maximal number of the users with inﬁnite length. Recently, a capacity of collusion secure code has been investigated by many researchers [1]. It is not trivial that there exist the capacity for our code. We investigate an achievable rate R for the coinﬂipping code with Hamming distance tracing algorithm, where an achievable rate R is a constant such that limn→∞ Sn,U = 0 for R0 > R, where U = 2R0 Theorem 3. For any R < 1 − h(1/4), limn→∞ Sn,U = 1, where h(·) is the binary entropy function, i.e. h(x) = −x log2 x − (1 − x) log2 (1 − x). In particular, the capacity is more than 1 − h(1/4), if it exists.
242
4
M. Hagiwara, T. Yoshida, and H. Imai
Applications: Digital Cinema Distribution and Hard Paper Distribution
A recent illegally redistribution problem is unoﬃcial copied DVD purchases. It is said that someone records a ﬁlm by his own video camera in a cinema theater and he made illegally copied DVDs by him to sell them. In this senario, the administrator is a provide company for ﬁlms and the users are cinema theatersa and divides ﬁlms to n or more sets of frames. If a cinema theater requests the ﬁlm, the administrator embeds nbit codeword to the associated nset of frames. If an illegally redistributed content is found, the administrator traces a cinema theater where the ﬁlm was recorded. Then the administrator asks the cinema theater to pay more attention customers illegal recording. Corporation of the administrator and cinema theaters makes illegal recoding harder for pirate customers. At the early stage, it is possible for a pirate customer to ﬁnd cinema theaters which does not pay so much attention to such illegal recording. However by repeating making eﬀorts between the administrator and theaters, we expect to reduce such crime. There are not many ﬁlm screens. For example, 3221 screens are in Japan, 2007 [6]. In Japan, the success probability of coinﬂipping codes is more than 0.999 if the code length is 128. The next application is to protect hard papers from away illegally redistributions. The administrator is the president of a company or the chairman of the director’s meeting. In this case, the number of the users is at most dozens. Furthermore the number of the colluders is at most a few by social reasons. The administrator embeds each bit of a ﬁngerprinting codeword to each page of the material. If there is a mass of materials, it is hard to delete that from the point of cost.
References 1. Amiri, E., Trados, G.: High rate fingerprinting codes and the fingerprinting capacity. In: Proc. of the Twentieth Annual ACMSIAM Symp. on Discrete Algorithms 2. Boneh, D., Shaw, J.: Collusionsecure fingerprinting for digital data. IEEE Transactions of Information Theory 44, 480–491 (1998) 3. Schaathun, H.G.: Fighting three pirates with scattering codes. In: Proc. Inter. Symp. on Information Theory, 2004. ISIT 2004, June2 July, vol. 27, p. 202 (2004) 4. Hagiwara, M., et al.: A short random fingerprinting code against a small number of pirates. In: Fossorier, M.P.C., Imai, H., Lin, S., Poli, A. (eds.) AAECC 2006. LNCS, vol. 3857, pp. 193–202. Springer, Heidelberg (2006) 5. Tardos, G.: Optimal Probabilistic Fingerprint Codes. In: Proceedings of the 35th Annual ACM Symp. on Theory of Computing, pp. 116–125 (2003); J. of the ACM (to appear) 6. Website of Motion Picture Producers Association of Japan, Inc., http://www.eiren.org/history_e/index.html
Author Index
´ Alvarez, Rafael 117 ´ Alvarez, V´ıctor 204 ´ Armario, Jos´e Andr´ es
Nagata, Kiyoshi Nemenzo, Fidel 204
O’Sullivan, Michael E. Osuna, Amparo 204 ¨ Ozadam, Hakan 92 ¨ Ozbudak, Ferruh 92
Basu, Riddhipratim 137 Beelen, Peter 1 Bernal, Jos´e Joaqu´ın 101 Bierbrauer, J¨ urgen 179 BorgesQuintana, M. 227 BorgesTrenard, M.A. 227 BrasAmor´ os, Maria 32 Brevik, John 65 Climent, JoanJosep Cui, Yang 159 Duursma, Iwan
73
ElMahassni, Edwin D.
Qin, Bo
195
Shin, SeongHan 149 Sim´ on, Juan Jacobo 101 Szabo, Steve 219
204
Talukdar, Tanmoy 137 Tom´ as, Virtudes 73 Torres, F. 23 Tortosa, Leandro 117
Hagiwara, Manabu 239 Han, Wenbao 127 Herranz, Victoria 73 Høholdt, Tom 53
Umlauf, Anya
´ Ibeas, Alvar 169 Iglesias Curto, Jos´e Ignacio 83 Imai, Hideki 149, 159, 239 53
Maitra, Subhamoy 137 Mart´ınezMoro, E. 227 Monarres, David M. 231 Morozov, Kirill 159 Munuera, C. 23
65
Vicent, Jos´e 117 Villanueva, J. 23 Villanueva, Merc`e 43 Wada, Hideo 107 Winterhof, Arne 169 Wolski, Rich 65 Wu, Qianhong 235
Kirov, Radoslav 11 Kobara, Kazukuni 149, 159 Landjev, Ivan 186 L´ opezPermouth, Sergio R.
235
Rif` a, J. 223 ´ R´ıo, Angel del 101 Ronquillo, L. 223 Ruano, Diego 1
Giorgetti, Marta 215 Gomez, Domingo 195 Gudiel, F´elix 204
Janwal, Heeralal
32, 65, 231
Paul, Goutam 137 Perea, Carmen 73 Pernas, Jaume 43 Pujol, Jaume 43, 223
11
Fan, Shuqin 127 Frau, Mar´ıa Dolores
107 107
219
Yang, Yang 127 Yoshida, Takahiro
239
Zamora, Antonio 117 Zeng, Guang 127 Zhang, Futai 235 Zhang, Lei 235